SlideShare a Scribd company logo
1 of 77
Download to read offline
Antonio Fontes| OWASP Switzerland


Securing your web project before it
hurts your organization
antonio.fontes@owasp.org / SDLC Security




          Agenda
          -    What's happening right now?
          -    From reactive to proactive
          -    What others do?
          -    What can I do?




                                             2
antonio.fontes@owasp.org / SDLC Security




          Bio
          • Antonio Fontes
          • Geneva (Switzerland)
          • Independant infosec/appsec consultant:
                – Web applications security
                – Risk visibility and management
                – Training, mentoring, coaching
          • Cybercrime/Internet threats analysis report:
                – http://cddb.ch , written in French, sorry :/
          • OWASP:
                – Switzerland Board Member
                – Geneva Chapter Leader
                                                                 3
antonio.fontes@owasp.org / SDLC Security




          Who are you?




          •    Builders? writing secure code
          •    Breakers? breaking into insecure code
          •    Defenders? protecting insecure code
          •    Managers?
                                                       4
antonio.fontes@owasp.org / SDLC Security




          Agenda
          What's happening right now?
          From reactive to proactive
          What others do?
          What can I do?




                                           5
antonio.fontes@owasp.org / SDLC Security




          Threat context
          Incomplete specification documents:




                                                6
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           7
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           8
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           9
antonio.fontes@owasp.org / SDLC Security




          Threat context
          1.     Analysis --> specs
          2.     Design --> architecture/API
          3.     Implement --> code
          4.     Validate --> binaries
          5.     Deploy --> product
          6.     Audit --> flaws/vulnerabilities
          7.     Back to 1.

                                                   10
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           11
antonio.fontes@owasp.org / SDLC Security




                                           注意輔助CSRF
                                             的!!




             Tú eres el CSRF!




                                                      12
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           13
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           14
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           15
antonio.fontes@owasp.org / SDLC Security




          Threat context




                                           16
antonio.fontes@owasp.org / SDLC Security




          Threat context
          Which of the following technologies
            should we protect against "___
            Injection" attacks?

          A.LDAP
          B.HTML
          C.Xpath
          D.SQL (in the source code)
          E.SQL (in a stored procedure)
                                                17
antonio.fontes@owasp.org / SDLC Security




          Threat context
   You own an online dating website for VIPs.
     You enforce SSL in all connections as you
     value your customers privacy. A user
     connects from the corporate network,
     where SSL deep-packet analysis was
     enabled. What happens in the browser?

   A.The browser displays a "red" warning
   B.The browser displays a "yellow" warning
   C.Nothing, all lights green as usual.
                                                 18
antonio.fontes@owasp.org / SDLC Security




          Threat context
          Which of the following technologies
            should we protect against "___
            Injection" attacks?

          A.LDAP --> yes
          B.HTML --> yes
          C.Xpath --> yes
          D.SQL (in the source code) --> yes
          E.SQL (in a stored procedure) --> yes
                                                  19
antonio.fontes@owasp.org / SDLC Security




          Threat context
   You own an online dating website for VIPs.
     You enforce SSL in all connections as you
     value your customers privacy. A user
     connects from the corporate network,
     where SSL deep-packet analysis was
     enabled. What happens in the browser?

   A.The browser shows a "red" warning --> no.
   B.The browser shows a "yellow" warning --> maybe
   C.Nothing, all lights green as usual --> probably
                                                       20
antonio.fontes@owasp.org / SDLC Security




          Threat context
           // anti-SQL Injection attacks filter
           String ValidateInput(string input)
           {
             String tmp = input.toUpperCase();
             return(tmp.Replace("SELECT", "").replace("INSERT",
           "").replace("UPDATE",
           "").replace("UNION","").replace("BENCHMARK,
           "").replace("--", "").replace("OR 1=1",
           "").replace("DROP", "").replace("@@version",
           "").replace("WAITFOR", "").replace("OUTFILE", "")
           ...
             return(tmp)
           }


                                                                  21
antonio.fontes@owasp.org / SDLC Security




          Threat context
           // anti-SQL Injection attacks filter
           String ValidateInput(string input)
           {
             String tmp = input.toUpperCase();
             return(tmp.Replace("SELECT", "").replace("INSERT",
           "").replace("UPDATE",
                           "DRDROPOP table" ?
           "").replace("UNION","").replace("BENCHMARK,
           "").replace("--", "").replace("OR 1=1",
           "").replace("DROP", "").replace("@@version",
           "").replace("WAITFOR", "").replace("OUTFILE", "")
           ...
             return(tmp)
           }


                                                                  22
antonio.fontes@owasp.org / SDLC Security




          Threat context
          six@nine:~$ls /etc/conf/threats/
            marketing
            compliance
            technology
            hacking
            hacktivism
            cybercrime / corporate espionage
            people
            cyberterrorism
            cyberwar
            9 folder(s) found
                                               23
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • About 900 software vulnerabilities:
                – http://cwe.mitre.org/




                                                  24
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • About 35
            webapps
            attack
            techniques:




                                           25
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • About 15
            weaknesses:




                http://projects.webappsec.org
                                                26
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • 8 core secure development principles:
                –    Data input validation
                –    Data output encoding
                –    Error handling
                –    Authentication / Authorization
                –    Session management
                –    Secure communications
                –    Secure storage
                –    Secure resource access
          http://www.slideshare.net/BSides/the-principles-of-secure-
             development-david-rook
                                                                       27
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • Software vulnerabilities appear at 3
            major stages of the SDLC:
                – DESIGN time
                – IMPLEMENTATION time
                – DEPLOYMENT time

          Whether from within your organization…or from
           your software vendor…

                                                          28
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • Design time vulnerabilities:
                – Appear in the specifications/requirements
                  documents (security features vs. secure features)
          • Causes:
                – Lack of security requirements analysis
                – Misunderstanding of the requirements
                – Insufficient or ambiguous specification
                – Specifications not being reviewed
          • Remediation cost: high                                    29
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • Coding time vulnerabilities:
                – Appear during the coding phase.
          • Causes:
                – Misunderstanding of the technology
                – Lack of good practices
                – Secure code not being reused
                – Code not being reviewed
                – Mistakes, distractions, errors, …
          • Remediation cost: average                  30
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • Deploy time vulnerabilities:
                – Appear during/after the deployment.
          • Causes:
                – Insecure default configuration
                – Insecure installation procedure
                – Installed on insecure systems/networks
                – Configurations not being reviewed
          • Remediation cost: low
                                                           31
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          • What about outsoucring?
                – How do you make sure the code is clean?
                – How do you know they can fix it?
          • Causes:
                – Incomplete vendor agreements / contracts
                – Lack of requirements / specifications
                – Lack of governance / controls
          • Remediation cost: high
                                                             32
antonio.fontes@owasp.org / SDLC Security




          What do we know today?
          Organizations have a tolerance level (risk
           appetite):
          • "I want to be compliant!"
                – Get your webapp audited (checklist).
          • "I want to keep my database inside!"
                – Get a documented solution to the Top10 problem.
          • "I want 'secure' written on marketing material!"
                – Get/hire/rent an appsec professional
          What's yours?
                                                                    33
antonio.fontes@owasp.org / SDLC Security




          Challenge(s)
          • The threat landscape is highly mobile,
            proactive, evolving and..smart.
                – and moreover: it is increasing!
          • Weaknesses, on the other side, are highly
            static, reproducible and...detectable.
          • Organizations are still limited by time and
            money constraints.
          • Challenge: Identifying opportunities to
            maintain risk to its lowest level, at the lowest
            cost.
                                                               34
antonio.fontes@owasp.org / SDLC Security




          Agenda
          What's happening right now?
          From reactive to proactive
          What others do?
          What can I do?




                                           35
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




                                                                                                  36
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - nah.

          Detection:
          - nah.




                                                                                                  37
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - "Our software architect has ten years experience in…". Nah.

          Detection:
          - nah.




                                                                                                  38
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Nah.
          - Sometimes: "hey, let's send all our developers to a security
          trainnig!"

          Detection:
          - If it passes build+compile, then it's gold baby!!
          - …nah.



                                                                                                  39
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Nah.

          Detection:
          - Right password should work.
          - Wrong password should not work.
          - Logoff should work.
          -…
          - nah…

                                                                                                  40
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - "our integrators have ten years experience in…" .. Nah.

          Detection:
          - "We will conduct a penetration test. Soon!!"




                                                                                                  41
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Nah.

          Detection:
          - PENTEST TIME!!! (aka: asking 'ethical hackers' to simulate an
          intrusion attempt)




                                                                                                  42
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations


           Risk level




                                                                                                  43
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release    Operations

                                                                                            Fixing
                                                                                            costs
                                                                               Risk level




                                                                                                     44
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification    Release       Operations

                                                                                               Fixing
                                                                                               costs
                                                                                  Risk level




                                                                           Tolerated risk level




                                                                                                        45
antonio.fontes@owasp.org / SDLC Security




          Reactive risk control in the SDLC
         Inception           Design        Implementation   Verification    Release       Operations

                                                                                            Fixing
                                                                                            costs
                                                                                   Risk level

                                                                                     Penetration
                                                                                     test


                                                                           Tolerated risk level




                                                                                                       46
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification    Release       Operations

                                                                                            Fixing
                                                                                            costs
                                                                                   Risk level




                                                                           Tolerated risk level




           Good practices: early
           prevention

                                                                                                       47
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification    Release       Operations

                                                                                            Fixing
                                                                                            costs
                                                                                   Risk level




                                                                           Tolerated risk level




           Good practices: early                      Checkpoints: early
           prevention                                 detection

                                                                                                       48
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification      Release        Operations




                                                                             Residual risk




                              Tolerated risk level
                                                                                              Risk level


                                                                           Fixing
                                                                           costs
           Good practice: early prevention            Checkpoint: early
                                                      detection

                                                                                                           49
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Analysis of security & privacy requirements
          Detection:
          -Review
          - Vendor selection criteria




                                                                                                  50
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations



          Prevention:
          - Secure design and architecture guidance
          - Secure software requirements definition guidance
          - Awareness of web induced risks
          - Threat modeling
          - Service Level Agreement
          - Vendor contract: security quality & service agreement
          Detection:
          - Requirements/specification analysis
          - Design security review
          - Vendor offer: how is the vendor solving major problems?
                                                                                                  51
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Secure development environment configuration
          - Secure coding guidance
          - Vendor contract: access to code review reports & coding
          practices
          Detection:
          - Code security review




                                                                                                  52
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - N/A
          Detection:
          -Security testing
          - Vendor contract: access to test plan and test results
          - Vendor contract: authorization to perform your own tests
          - Vendor contract: security acceptance criteria (Top 10? ASVS?)




                                                                                                  53
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Secure application deployment guidance
          Detection:
          -Vulnerability/Configuration security assessment
          - Vendor contract: deployment guidance acceptance criteria




                                                                                                  54
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention:
          - Maintain secure environments (networks, systems, services)
          - Incident response planing
          - Vendor agreement: service level agreement (impact analysis,
          cross-client breach notification, etc.)
          Detection:
          - Vulnerability assessment
          - Penetration testing
          - Vendor agreement: authorization to attack your own service

                                                                                                  55
antonio.fontes@owasp.org / SDLC Security




          Proactive risk control in the SDLC
         Inception           Design        Implementation   Verification   Release   Operations




          Prevention activities:
          - Rely on approved methods and tools to produce secure code
          - Vendor contract: ensure your software vendor agreed on
          security deliverables and activities

          Detection activities:
          - Deploy small controls all along the line to detect
          potential weaknesses.
          - Vendor contract: ensure you have full right to test your
          system and/or if necessary, its source code, and/or access
          to independent testing results.
                                                                                                  56
antonio.fontes@owasp.org / SDLC Security




          Agenda
          What's happening right now?
          From reactive to proactive
          What others do?
          What can I do?




                                           57
antonio.fontes@owasp.org / SDLC Security




          Secure SDLC examples
          •    Microsoft
          •    Mozilla
          •    OWASP
          •    BSIMM




                                           58
antonio.fontes@owasp.org / SDLC Security




          SDLC, SDL?
          • SDLC:
                – Systems Development Lifecycle
          • SDL:
                – Security Development Lifecycle
                       • By Microsoft originaly
                       • but many companies now have their 'SDL'




                                                                   59
antonio.fontes@owasp.org / SDLC Security




          Microsoft SDL




          (collaboration with Adobe and Cisco)


          http://www.microsoft.com/security/sdl



                                                  60
antonio.fontes@owasp.org / SDLC Security




          Microsoft SDL




                                           61
antonio.fontes@owasp.org / SDLC Security




          Mozilla




          https://wiki.mozilla.org/Security/Reviews/Secure_Develo
             pment_Lifecycle                                        62
antonio.fontes@owasp.org / SDLC Security




          Mozilla




                                           63
antonio.fontes@owasp.org / SDLC Security




          OWASP OpenSAMM




          https://www.owasp.org/index.php/Category:Software_Assurance_
             Maturity_Model

                                                                         64
antonio.fontes@owasp.org / SDLC Security




          OWASP OpenSAMM




                                           65
antonio.fontes@owasp.org / SDLC Security




          BSIMM




          http://bsimm.com
                                           66
antonio.fontes@owasp.org / SDLC Security




          BSIMM




                                           67
antonio.fontes@owasp.org / SDLC Security




          BSIMM




                                           68
antonio.fontes@owasp.org / SDLC Security




          Agenda
          What's happening right now?
          From reactive to proactive
          What others do?
          What can I do?




                                           69
antonio.fontes@owasp.org / SDLC Security




          "Custom" SDLC-security integration
         Inception           Design        Implementation      Verification     Release        Operations


         Security            Secure           Coding             Security        Secure           Incident
       requirements          design          guidelines          testing       deployment        response

                                             Automated
           Risk             Threat                                       Risk                  Vulnerability
                                            source code
          analysis         modeling                                   assessment               management
                                               review
                             Design                                                       Penetration
                             review                                                         tests


                                             Training & awareness program

                                              Policy & Compliance watch

                 Governance (Software security group, taskforce, strategy , metrics and dashboards)



                                                                                                               70
antonio.fontes@owasp.org / SDLC Security




          Get inspired
          • Don't underestimate checklists!
          • Preliminary triage check:
                1.      Is it accessible from Internet?
                2.      Is it collecting/handling regulated data?
                       • Privacy, Financial, HIPAA, etc.
                3.      Is it connected to business process systems?
                4.      Does it rely on risky technology?
                5.      How critical is it for the business?
                6.      Do we have control over the source code?
                7.      Do we host the application?
                8.      Etc.                                           71
antonio.fontes@owasp.org / SDLC Security




          Get inspired
          • Document your solutions to major
            problems:
                1.      How is input data validated?
                2.      How is output data encoded?
                3.      How are 3rd party systems interrogated?
                4.      How are requests authenticated/authorized/audited?
                5.      How do you store sensitive data?
                6.      How do you transport sensitive data?
                7.      Do you use cryptography? How? Where?
                8.      How do you handle errors and exceptions?

                                                                             72
antonio.fontes@owasp.org / SDLC Security




          Get inspired
          • Most of these models were built in years
            and adopted by large software vendors.
          • Read them but don't try copy-pasting
            them in your organization!
          • Adapt: with your strengths/weaknesses:
                – You have $$$? Hire read teams!
                – You have talent? Strengthen your APIs!


                                                           73
antonio.fontes@owasp.org / SDLC Security




          If you got lost…
          1. Document your API-based solution
             to each item of the OWASP Top 10
          2. Integrate an automated run of a security testing
             software against your application.
          3. Integrate an automated run of a source code
             security analysis software.
          4. Add a questionnaire in your change management
             process:
                               1.     Authentication?           6.   Access to 3rd. Parties?
                               2.     Authorization?            7.   Sensitive data storage?
                               3.     Audit? Log?               8.   Sensitive data transport?
                               4.     Input? Validation rule?   9.   Use of cryptography?
                               5.     Output? Encoding rule?                                74
antonio.fontes@owasp.org / SDLC Security




          If you got lost…
          5. Get a documented threat model and
             how you respond to each threat
          6. Formalize your incident response team and process
          7. Establish coding guidelines (and make them
             available on the intranet)


          8. Rearrange this list as it suits you best!




                                                                 75
Questions
antonio.fontes@owasp.org / SDLC Security




                                           Thank you!
          Contact me:
            antonio.fontes@owasp.org
            @starbuck3000
            https://www.slideshare.net/starbuck3000

          Connect to your OWASP local chapters:
            https://www.owasp.org/index.php/Germany
            https://www.owasp.org/index.php/Switzerland

          This afternoon talk:
            Top 10 webapp intrusion techniques
                                                          77

More Related Content

What's hot

An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsTomas Ericsson
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
CSCSS Science of Security - Developing Scientific Foundations for the Operati...
CSCSS Science of Security - Developing Scientific Foundations for the Operati...CSCSS Science of Security - Developing Scientific Foundations for the Operati...
CSCSS Science of Security - Developing Scientific Foundations for the Operati...Shawn Riley
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?ESET
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Tutorial security patterns
Tutorial security patternsTutorial security patterns
Tutorial security patternsThomas Jindu
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Craig wilson
Craig wilsonCraig wilson
Craig wilsonIPPAI
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Examkoidis
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
 
CACR Overview
CACR OverviewCACR Overview
CACR OverviewVon Welch
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Practical approaches to IoT security
Practical approaches to IoT securityPractical approaches to IoT security
Practical approaches to IoT securityTony Wilson
 
The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)Cisco Crisis Response
 

What's hot (20)

An introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groupsAn introduction to the CISSP certification for self study groups
An introduction to the CISSP certification for self study groups
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
CSCSS Science of Security - Developing Scientific Foundations for the Operati...
CSCSS Science of Security - Developing Scientific Foundations for the Operati...CSCSS Science of Security - Developing Scientific Foundations for the Operati...
CSCSS Science of Security - Developing Scientific Foundations for the Operati...
 
Is Anti-Virus Dead?
Is Anti-Virus Dead?Is Anti-Virus Dead?
Is Anti-Virus Dead?
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Tutorial security patterns
Tutorial security patternsTutorial security patterns
Tutorial security patterns
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Craig wilson
Craig wilsonCraig wilson
Craig wilson
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 
CACR Overview
CACR OverviewCACR Overview
CACR Overview
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Practical approaches to IoT security
Practical approaches to IoT securityPractical approaches to IoT security
Practical approaches to IoT security
 
The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)The Network Enabled Emergency Operations Center (EOC)
The Network Enabled Emergency Operations Center (EOC)
 

Viewers also liked

Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013  - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013  - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Washington Mutual Bank's Collapse Under An Audit Perspective
 Washington Mutual Bank's  Collapse Under An Audit Perspective Washington Mutual Bank's  Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsJDOLIV
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsSTAG Software Private Limited
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012aj22dms
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk AssessmentLeanleaders.org
 

Viewers also liked (20)

Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013  - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013  - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
 
Washington Mutual Bank's Collapse Under An Audit Perspective
 Washington Mutual Bank's  Collapse Under An Audit Perspective Washington Mutual Bank's  Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
KSA Business Intelligence Qualifications
KSA Business Intelligence QualificationsKSA Business Intelligence Qualifications
KSA Business Intelligence Qualifications
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Test Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related MeasurementsTest Process Maturity Measurement and Related Measurements
Test Process Maturity Measurement and Related Measurements
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during development
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Application of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & QualifcationApplication of Quality Risk Management in Commissioning & Qualifcation
Application of Quality Risk Management in Commissioning & Qualifcation
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCDevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLC
 
NG BB 49 Risk Assessment
NG BB 49 Risk AssessmentNG BB 49 Risk Assessment
NG BB 49 Risk Assessment
 

Similar to Securing your web apps before they hurt the organization

Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.pptssuserfb92ae
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software SecuritydevObjective
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 

Similar to Securing your web apps before they hurt the organization (20)

Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.ppt
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Who owns Software Security
Who owns Software SecurityWho owns Software Security
Who owns Software Security
 
Who Owns Software Security?
Who Owns Software Security?Who Owns Software Security?
Who Owns Software Security?
 
Super1
Super1Super1
Super1
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 

More from Antonio Fontes

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseAntonio Fontes
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application webAntonio Fontes
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Antonio Fontes
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case studyAntonio Fontes
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat ModelingAntonio Fontes
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniquesAntonio Fontes
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au pointAntonio Fontes
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?Antonio Fontes
 

More from Antonio Fontes (13)

Sécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défenseSécurité des applications web: attaque et défense
Sécurité des applications web: attaque et défense
 
Modéliser les menaces d'une application web
Modéliser les menaces d'une application webModéliser les menaces d'une application web
Modéliser les menaces d'une application web
 
Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012Trouvez la faille! - Confoo 2012
Trouvez la faille! - Confoo 2012
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Rapid Threat Modeling : case study
Rapid Threat Modeling : case studyRapid Threat Modeling : case study
Rapid Threat Modeling : case study
 
Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...Sécurité dans les contrats d'externalisation de services de développement et ...
Sécurité dans les contrats d'externalisation de services de développement et ...
 
Meet the OWASP
Meet the OWASPMeet the OWASP
Meet the OWASP
 
IT Security Days - Threat Modeling
IT Security Days - Threat ModelingIT Security Days - Threat Modeling
IT Security Days - Threat Modeling
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
The top 10 web application intrusion techniques
The top 10 web application intrusion techniquesThe top 10 web application intrusion techniques
The top 10 web application intrusion techniques
 
Cyber-attaques: mise au point
Cyber-attaques: mise au pointCyber-attaques: mise au point
Cyber-attaques: mise au point
 
Web application security: how to start?
Web application security: how to start?Web application security: how to start?
Web application security: how to start?
 
Owasp Top10 2010 rc1
Owasp Top10 2010 rc1Owasp Top10 2010 rc1
Owasp Top10 2010 rc1
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...SOFTTECHHUB
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

Recently uploaded (20)

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Securing your web apps before they hurt the organization

  • 1. Antonio Fontes| OWASP Switzerland Securing your web project before it hurts your organization
  • 2. antonio.fontes@owasp.org / SDLC Security Agenda - What's happening right now? - From reactive to proactive - What others do? - What can I do? 2
  • 3. antonio.fontes@owasp.org / SDLC Security Bio • Antonio Fontes • Geneva (Switzerland) • Independant infosec/appsec consultant: – Web applications security – Risk visibility and management – Training, mentoring, coaching • Cybercrime/Internet threats analysis report: – http://cddb.ch , written in French, sorry :/ • OWASP: – Switzerland Board Member – Geneva Chapter Leader 3
  • 4. antonio.fontes@owasp.org / SDLC Security Who are you? • Builders? writing secure code • Breakers? breaking into insecure code • Defenders? protecting insecure code • Managers? 4
  • 5. antonio.fontes@owasp.org / SDLC Security Agenda What's happening right now? From reactive to proactive What others do? What can I do? 5
  • 6. antonio.fontes@owasp.org / SDLC Security Threat context Incomplete specification documents: 6
  • 7. antonio.fontes@owasp.org / SDLC Security Threat context 7
  • 8. antonio.fontes@owasp.org / SDLC Security Threat context 8
  • 9. antonio.fontes@owasp.org / SDLC Security Threat context 9
  • 10. antonio.fontes@owasp.org / SDLC Security Threat context 1. Analysis --> specs 2. Design --> architecture/API 3. Implement --> code 4. Validate --> binaries 5. Deploy --> product 6. Audit --> flaws/vulnerabilities 7. Back to 1. 10
  • 11. antonio.fontes@owasp.org / SDLC Security Threat context 11
  • 12. antonio.fontes@owasp.org / SDLC Security 注意輔助CSRF 的!! Tú eres el CSRF! 12
  • 13. antonio.fontes@owasp.org / SDLC Security Threat context 13
  • 14. antonio.fontes@owasp.org / SDLC Security Threat context 14
  • 15. antonio.fontes@owasp.org / SDLC Security Threat context 15
  • 16. antonio.fontes@owasp.org / SDLC Security Threat context 16
  • 17. antonio.fontes@owasp.org / SDLC Security Threat context Which of the following technologies should we protect against "___ Injection" attacks? A.LDAP B.HTML C.Xpath D.SQL (in the source code) E.SQL (in a stored procedure) 17
  • 18. antonio.fontes@owasp.org / SDLC Security Threat context You own an online dating website for VIPs. You enforce SSL in all connections as you value your customers privacy. A user connects from the corporate network, where SSL deep-packet analysis was enabled. What happens in the browser? A.The browser displays a "red" warning B.The browser displays a "yellow" warning C.Nothing, all lights green as usual. 18
  • 19. antonio.fontes@owasp.org / SDLC Security Threat context Which of the following technologies should we protect against "___ Injection" attacks? A.LDAP --> yes B.HTML --> yes C.Xpath --> yes D.SQL (in the source code) --> yes E.SQL (in a stored procedure) --> yes 19
  • 20. antonio.fontes@owasp.org / SDLC Security Threat context You own an online dating website for VIPs. You enforce SSL in all connections as you value your customers privacy. A user connects from the corporate network, where SSL deep-packet analysis was enabled. What happens in the browser? A.The browser shows a "red" warning --> no. B.The browser shows a "yellow" warning --> maybe C.Nothing, all lights green as usual --> probably 20
  • 21. antonio.fontes@owasp.org / SDLC Security Threat context // anti-SQL Injection attacks filter String ValidateInput(string input) { String tmp = input.toUpperCase(); return(tmp.Replace("SELECT", "").replace("INSERT", "").replace("UPDATE", "").replace("UNION","").replace("BENCHMARK, "").replace("--", "").replace("OR 1=1", "").replace("DROP", "").replace("@@version", "").replace("WAITFOR", "").replace("OUTFILE", "") ... return(tmp) } 21
  • 22. antonio.fontes@owasp.org / SDLC Security Threat context // anti-SQL Injection attacks filter String ValidateInput(string input) { String tmp = input.toUpperCase(); return(tmp.Replace("SELECT", "").replace("INSERT", "").replace("UPDATE", "DRDROPOP table" ? "").replace("UNION","").replace("BENCHMARK, "").replace("--", "").replace("OR 1=1", "").replace("DROP", "").replace("@@version", "").replace("WAITFOR", "").replace("OUTFILE", "") ... return(tmp) } 22
  • 23. antonio.fontes@owasp.org / SDLC Security Threat context six@nine:~$ls /etc/conf/threats/ marketing compliance technology hacking hacktivism cybercrime / corporate espionage people cyberterrorism cyberwar 9 folder(s) found 23
  • 24. antonio.fontes@owasp.org / SDLC Security What do we know today? • About 900 software vulnerabilities: – http://cwe.mitre.org/ 24
  • 25. antonio.fontes@owasp.org / SDLC Security What do we know today? • About 35 webapps attack techniques: 25
  • 26. antonio.fontes@owasp.org / SDLC Security What do we know today? • About 15 weaknesses: http://projects.webappsec.org 26
  • 27. antonio.fontes@owasp.org / SDLC Security What do we know today? • 8 core secure development principles: – Data input validation – Data output encoding – Error handling – Authentication / Authorization – Session management – Secure communications – Secure storage – Secure resource access http://www.slideshare.net/BSides/the-principles-of-secure- development-david-rook 27
  • 28. antonio.fontes@owasp.org / SDLC Security What do we know today? • Software vulnerabilities appear at 3 major stages of the SDLC: – DESIGN time – IMPLEMENTATION time – DEPLOYMENT time Whether from within your organization…or from your software vendor… 28
  • 29. antonio.fontes@owasp.org / SDLC Security What do we know today? • Design time vulnerabilities: – Appear in the specifications/requirements documents (security features vs. secure features) • Causes: – Lack of security requirements analysis – Misunderstanding of the requirements – Insufficient or ambiguous specification – Specifications not being reviewed • Remediation cost: high 29
  • 30. antonio.fontes@owasp.org / SDLC Security What do we know today? • Coding time vulnerabilities: – Appear during the coding phase. • Causes: – Misunderstanding of the technology – Lack of good practices – Secure code not being reused – Code not being reviewed – Mistakes, distractions, errors, … • Remediation cost: average 30
  • 31. antonio.fontes@owasp.org / SDLC Security What do we know today? • Deploy time vulnerabilities: – Appear during/after the deployment. • Causes: – Insecure default configuration – Insecure installation procedure – Installed on insecure systems/networks – Configurations not being reviewed • Remediation cost: low 31
  • 32. antonio.fontes@owasp.org / SDLC Security What do we know today? • What about outsoucring? – How do you make sure the code is clean? – How do you know they can fix it? • Causes: – Incomplete vendor agreements / contracts – Lack of requirements / specifications – Lack of governance / controls • Remediation cost: high 32
  • 33. antonio.fontes@owasp.org / SDLC Security What do we know today? Organizations have a tolerance level (risk appetite): • "I want to be compliant!" – Get your webapp audited (checklist). • "I want to keep my database inside!" – Get a documented solution to the Top10 problem. • "I want 'secure' written on marketing material!" – Get/hire/rent an appsec professional What's yours? 33
  • 34. antonio.fontes@owasp.org / SDLC Security Challenge(s) • The threat landscape is highly mobile, proactive, evolving and..smart. – and moreover: it is increasing! • Weaknesses, on the other side, are highly static, reproducible and...detectable. • Organizations are still limited by time and money constraints. • Challenge: Identifying opportunities to maintain risk to its lowest level, at the lowest cost. 34
  • 35. antonio.fontes@owasp.org / SDLC Security Agenda What's happening right now? From reactive to proactive What others do? What can I do? 35
  • 36. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations 36
  • 37. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - nah. Detection: - nah. 37
  • 38. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - "Our software architect has ten years experience in…". Nah. Detection: - nah. 38
  • 39. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Nah. - Sometimes: "hey, let's send all our developers to a security trainnig!" Detection: - If it passes build+compile, then it's gold baby!! - …nah. 39
  • 40. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Nah. Detection: - Right password should work. - Wrong password should not work. - Logoff should work. -… - nah… 40
  • 41. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - "our integrators have ten years experience in…" .. Nah. Detection: - "We will conduct a penetration test. Soon!!" 41
  • 42. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Nah. Detection: - PENTEST TIME!!! (aka: asking 'ethical hackers' to simulate an intrusion attempt) 42
  • 43. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Risk level 43
  • 44. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Fixing costs Risk level 44
  • 45. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Fixing costs Risk level Tolerated risk level 45
  • 46. antonio.fontes@owasp.org / SDLC Security Reactive risk control in the SDLC Inception Design Implementation Verification Release Operations Fixing costs Risk level Penetration test Tolerated risk level 46
  • 47. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Fixing costs Risk level Tolerated risk level Good practices: early prevention 47
  • 48. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Fixing costs Risk level Tolerated risk level Good practices: early Checkpoints: early prevention detection 48
  • 49. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Residual risk Tolerated risk level Risk level Fixing costs Good practice: early prevention Checkpoint: early detection 49
  • 50. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Analysis of security & privacy requirements Detection: -Review - Vendor selection criteria 50
  • 51. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Secure design and architecture guidance - Secure software requirements definition guidance - Awareness of web induced risks - Threat modeling - Service Level Agreement - Vendor contract: security quality & service agreement Detection: - Requirements/specification analysis - Design security review - Vendor offer: how is the vendor solving major problems? 51
  • 52. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Secure development environment configuration - Secure coding guidance - Vendor contract: access to code review reports & coding practices Detection: - Code security review 52
  • 53. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - N/A Detection: -Security testing - Vendor contract: access to test plan and test results - Vendor contract: authorization to perform your own tests - Vendor contract: security acceptance criteria (Top 10? ASVS?) 53
  • 54. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Secure application deployment guidance Detection: -Vulnerability/Configuration security assessment - Vendor contract: deployment guidance acceptance criteria 54
  • 55. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention: - Maintain secure environments (networks, systems, services) - Incident response planing - Vendor agreement: service level agreement (impact analysis, cross-client breach notification, etc.) Detection: - Vulnerability assessment - Penetration testing - Vendor agreement: authorization to attack your own service 55
  • 56. antonio.fontes@owasp.org / SDLC Security Proactive risk control in the SDLC Inception Design Implementation Verification Release Operations Prevention activities: - Rely on approved methods and tools to produce secure code - Vendor contract: ensure your software vendor agreed on security deliverables and activities Detection activities: - Deploy small controls all along the line to detect potential weaknesses. - Vendor contract: ensure you have full right to test your system and/or if necessary, its source code, and/or access to independent testing results. 56
  • 57. antonio.fontes@owasp.org / SDLC Security Agenda What's happening right now? From reactive to proactive What others do? What can I do? 57
  • 58. antonio.fontes@owasp.org / SDLC Security Secure SDLC examples • Microsoft • Mozilla • OWASP • BSIMM 58
  • 59. antonio.fontes@owasp.org / SDLC Security SDLC, SDL? • SDLC: – Systems Development Lifecycle • SDL: – Security Development Lifecycle • By Microsoft originaly • but many companies now have their 'SDL' 59
  • 60. antonio.fontes@owasp.org / SDLC Security Microsoft SDL (collaboration with Adobe and Cisco) http://www.microsoft.com/security/sdl 60
  • 61. antonio.fontes@owasp.org / SDLC Security Microsoft SDL 61
  • 62. antonio.fontes@owasp.org / SDLC Security Mozilla https://wiki.mozilla.org/Security/Reviews/Secure_Develo pment_Lifecycle 62
  • 63. antonio.fontes@owasp.org / SDLC Security Mozilla 63
  • 64. antonio.fontes@owasp.org / SDLC Security OWASP OpenSAMM https://www.owasp.org/index.php/Category:Software_Assurance_ Maturity_Model 64
  • 65. antonio.fontes@owasp.org / SDLC Security OWASP OpenSAMM 65
  • 66. antonio.fontes@owasp.org / SDLC Security BSIMM http://bsimm.com 66
  • 67. antonio.fontes@owasp.org / SDLC Security BSIMM 67
  • 68. antonio.fontes@owasp.org / SDLC Security BSIMM 68
  • 69. antonio.fontes@owasp.org / SDLC Security Agenda What's happening right now? From reactive to proactive What others do? What can I do? 69
  • 70. antonio.fontes@owasp.org / SDLC Security "Custom" SDLC-security integration Inception Design Implementation Verification Release Operations Security Secure Coding Security Secure Incident requirements design guidelines testing deployment response Automated Risk Threat Risk Vulnerability source code analysis modeling assessment management review Design Penetration review tests Training & awareness program Policy & Compliance watch Governance (Software security group, taskforce, strategy , metrics and dashboards) 70
  • 71. antonio.fontes@owasp.org / SDLC Security Get inspired • Don't underestimate checklists! • Preliminary triage check: 1. Is it accessible from Internet? 2. Is it collecting/handling regulated data? • Privacy, Financial, HIPAA, etc. 3. Is it connected to business process systems? 4. Does it rely on risky technology? 5. How critical is it for the business? 6. Do we have control over the source code? 7. Do we host the application? 8. Etc. 71
  • 72. antonio.fontes@owasp.org / SDLC Security Get inspired • Document your solutions to major problems: 1. How is input data validated? 2. How is output data encoded? 3. How are 3rd party systems interrogated? 4. How are requests authenticated/authorized/audited? 5. How do you store sensitive data? 6. How do you transport sensitive data? 7. Do you use cryptography? How? Where? 8. How do you handle errors and exceptions? 72
  • 73. antonio.fontes@owasp.org / SDLC Security Get inspired • Most of these models were built in years and adopted by large software vendors. • Read them but don't try copy-pasting them in your organization! • Adapt: with your strengths/weaknesses: – You have $$$? Hire read teams! – You have talent? Strengthen your APIs! 73
  • 74. antonio.fontes@owasp.org / SDLC Security If you got lost… 1. Document your API-based solution to each item of the OWASP Top 10 2. Integrate an automated run of a security testing software against your application. 3. Integrate an automated run of a source code security analysis software. 4. Add a questionnaire in your change management process: 1. Authentication? 6. Access to 3rd. Parties? 2. Authorization? 7. Sensitive data storage? 3. Audit? Log? 8. Sensitive data transport? 4. Input? Validation rule? 9. Use of cryptography? 5. Output? Encoding rule? 74
  • 75. antonio.fontes@owasp.org / SDLC Security If you got lost… 5. Get a documented threat model and how you respond to each threat 6. Formalize your incident response team and process 7. Establish coding guidelines (and make them available on the intranet) 8. Rearrange this list as it suits you best! 75
  • 77. antonio.fontes@owasp.org / SDLC Security Thank you! Contact me: antonio.fontes@owasp.org @starbuck3000 https://www.slideshare.net/starbuck3000 Connect to your OWASP local chapters: https://www.owasp.org/index.php/Germany https://www.owasp.org/index.php/Switzerland This afternoon talk: Top 10 webapp intrusion techniques 77