Here are the key things to report:
- Vulnerability type
- Location (file, line number)
- Short description
- Impact
- Recommendation
Provide enough context for developers to understand and fix.
Prioritize vulnerabilities by severity and risk.
29 Softwar S cur
REPORTING
SQL Injection:
Location: \source\ACMEPortal\updateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using
• Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection
- High severity
- Data exposure and system access
- Recommend using parameterized
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015.
Abstract:
Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change.
This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015.
Abstract:
Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change.
This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Join security experts from Rogue Wave Software for the first in a three-part series on ensuring your code and processes are secure.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
In this first one-hour webinar you'll learn how to:
- Protect your systems from risk
- Comply with security standards
- Ensure the entire codebase is bulletproof
Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set.
For more information about Static Analysis please click on the link below.
http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547
Estimating Development Security Maturity in About an HourPriyanka Aash
The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.
(Source: RSA USA 2016-San Francisco)
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
This presentation gives the brief overview of the procedure that needs to be followed for performing manual code review while assessing the security of an application/service. There are two parts for this presentation. This first part covers some vulnerabilities and the second part covers remaining vulnerabilities.
Lessons from a recovering runtime application self protection addictPriyanka Aash
This talk will detail knowledge gained from years spent building runtime application self-protection technology. RASP sounds like a silver bullet—security pixie dust that protects vulnerable code. But does it solve real problems? Who integrates and operates it? Is it fast enough? Accurate enough? Reliable enough? Will answering these questions change your thinking on RASP?
(Source : RSA Conference USA 2017)
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
The adoption of DevOps and Continuous Delivery provides tangible benefits such as higher quality, stability, and faster release cadence. One of the most important issues within this adoption is related to security quality tasks that have been traditionally implemented manually.
The talk will demonstrate the security integration of Spring ecosystem demo applications with the Jenkins CI server to jump start continuous and in-depth security testing into the DevOps CI/CD pipeline, via automation and orchestration.
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
IT companies that do heavy software development have been shifting their paradigm from a traditional monolithic waterfall development lifecycle to a fully heterogeneous 24/7 devops culture. This implies more software deployment and more code developed. The traditional security approach, besides not being enough, is clearly outdated and non-applicable. This talk will tell how MercadoLibre evolved to a DevOps company, how information security was perceived and tackled then and now, what challenges we faced, what we made to drive change to a 15 years old company’s mindset, and how we are transforming into a SecDevOps culture and the way we envision that culture of work.
Join security experts from Rogue Wave Software for the first in a three-part series on ensuring your code and processes are secure.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
In this first one-hour webinar you'll learn how to:
- Protect your systems from risk
- Comply with security standards
- Ensure the entire codebase is bulletproof
Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set.
For more information about Static Analysis please click on the link below.
http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547
Estimating Development Security Maturity in About an HourPriyanka Aash
The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.
(Source: RSA USA 2016-San Francisco)
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
This presentation gives the brief overview of the procedure that needs to be followed for performing manual code review while assessing the security of an application/service. There are two parts for this presentation. This first part covers some vulnerabilities and the second part covers remaining vulnerabilities.
Lessons from a recovering runtime application self protection addictPriyanka Aash
This talk will detail knowledge gained from years spent building runtime application self-protection technology. RASP sounds like a silver bullet—security pixie dust that protects vulnerable code. But does it solve real problems? Who integrates and operates it? Is it fast enough? Accurate enough? Reliable enough? Will answering these questions change your thinking on RASP?
(Source : RSA Conference USA 2017)
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
The adoption of DevOps and Continuous Delivery provides tangible benefits such as higher quality, stability, and faster release cadence. One of the most important issues within this adoption is related to security quality tasks that have been traditionally implemented manually.
The talk will demonstrate the security integration of Spring ecosystem demo applications with the Jenkins CI server to jump start continuous and in-depth security testing into the DevOps CI/CD pipeline, via automation and orchestration.
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
IT companies that do heavy software development have been shifting their paradigm from a traditional monolithic waterfall development lifecycle to a fully heterogeneous 24/7 devops culture. This implies more software deployment and more code developed. The traditional security approach, besides not being enough, is clearly outdated and non-applicable. This talk will tell how MercadoLibre evolved to a DevOps company, how information security was perceived and tackled then and now, what challenges we faced, what we made to drive change to a 15 years old company’s mindset, and how we are transforming into a SecDevOps culture and the way we envision that culture of work.
[CONFidence 2016] Glenn ten Cate - OWASP-SKF Making the web secure by design,...PROIDEA
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. With this knowledge you will be 'The one' and creating applications secure from design!
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
OWASP-SKF Making the web secure by design - Glenn ten Cate - Codemotion Amste...Codemotion
Education is the first step in the Secure Software Development Lifecycle. The free OWASP Security Knowledge Framework (SKF) is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. This talk will help you as a developer to become THE Neo of your development team. We will show how you can do security by design and introduce other quality gates into your development pipeline to ensure high end quality and security of your project.
Bypassing Secure Boot using Fault InjectionRiscure
The Fault Injection attack surface of Secure Boot implementations is determined by the specifics of their design and implementation. Using a generic Secure Boot design we detail multiple vulnerabilities (~10) using examples in source code, disassembly and hardware. We will determine what the impact is of the target's design on its Fault Injection attack surface: from high-level architecture to low-level implementation details. Research originally presented in November 2016 at BlackHat Europe.
Rapid software testing and conformance with static code analysisRogue Wave Software
With growing connectivity between complex automotive software components, development teams are looking for new ways to verify code security and validate against standards. This explains an exciting new approach to software testing that combines the breadth and depth of static analysis with modern test automation to provide rapid feedback to developers on incremental code changes – continuous static code analysis. By connecting deep analysis to continuous integration workflows, testing is pulled forward earlier to eliminate defects and reduce rework costs.
Walk away with knowledge of real defects, security vulnerabilities, and automotive standards (such as MISRA and ISO 26262) plus key steps to start immediate deployment of continuous static code analysis for testing. Presented at GENIVI All Member Meeting & Open Community Days.
Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today. Mike Pittenger addresses security in the age of open source in this presentation.
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesRiscure
Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.
While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.
BGOUG 2014 Decrease Your MySQL Attack SurfaceGeorgi Kodinov
Security is not a question of "if" but "when". People will hit at your server(s).
A smaller attack surface means they'll be more likely to miss too. And inflict less damage in general.
Let's find out some easy steps we can take to decrease MySQL's attack surface in a typical web setup
Is your SAP system vulnerable to cyber attacks?Virtual Forge
This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015.
Stephen Lamy demonstrated specific risks that custom ABAP can introduce into an SAP system, and provided proven advice to minimize ABAP security risks.
Key Takeaways:
- What vulnerabilities exist in productive SAP systems, and better understand how your SAP systems can be compromised
- What are common and dangerous ABAP risks, such as directory traversal and ABAP command injection
- Best practices to develop secure and compliant ABAP code, such as implementing internal coding guidelines and standards, protecting your systems from risky third-party code, and choosing the right tools for your process
• How Software Development Methodologies may increase the security level
• Detecting and handling vulnerabilities in dependencies in a pragmatic way
• High-level principles that ~always increase the security level
-Microsoft Security Development Lifecycle practices
-What is Dev SecOps
-Static and Dynamic Application Security Testing
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
Lviv IT Arena is a conference specially designed for programmers, designers, developers, top managers, inverstors, entrepreneur and startuppers. Annually it takes place on 2-4 of October in Lviv at the Arena Lviv stadium. In 2015 conference gathered more than 1400 participants and over 100 speakers from companies like Facebook. FitBit, Mail.ru, HP, Epson and IBM. More details about conference at itarene.lviv.ua.
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
eveloping secure software requires more than the definition of a
process, i.e., a Secure Software Development Lifecycle. The
successful implementation of a Secure Software Development Lifecycle
relies on many factors among them providing the right tools to
developers that support them in writing secure and reliable code.
Based on SAP's experience in the large scale introduction of static
code analysis tools as well as the use of dynamic (security) testing
tools, I will discuss several challenges of secure development
approaches in industry such as finding the right balance between
security requirements and development efforts or the between the
precision of a security analysis and its scalability.
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
It’s everywhere. From your phone to the enterprise, open source software (OSS) is running far and wide. Gartner predicts that by 2016, 99 percent of Global 2000 enterprises will use open source in mission-critical software. While it’s free, easy to find, and pushes software to the market faster, it’s vital to understand how to use OSS safely.
Join Richard Sherrard, director of product management at Rogue Wave, for a live webinar reviewing the top five OSS trends of 2015. From OSS discovery, to risk, and governance, we’ll take a deep dive into the trends we’ve noticed this year while providing you with some predictions for 2016.
In this webinar you’ll learn how to:
-Discover the OSS in your codebase to ensure that code is free of bugs, security vulnerabilities, and license conflicts
-Implement controls on OSS usage at your organization
-Create a multi-tier approach to OSS risk reduction with open source tools, static code analysis and dynamic analysis
Watch the webinar recording now: https://www.brighttalk.com/webcast/12285/164531
Why 'positive security' is a software security game changerJaap Karan Singh
This deck goes through challenges with software security today, how we got to this position and best ways of addressing these challenges through the lens of 'positive security'.
Proactive SQA™ Shifting Left w/Proactive Software Quality PracticesXBOSoft
This webinar hosted by XBOSoft featured our guest speaker, Robin Goldsmith. Robin, an expert in software requirements and business analysis, presented how to develop a definition of software quality as a first step any software development process. Although most of what is called SQA today actually is just testing, true SQA is much different from quality control (QC) testing. SQA can and should do far more, contributing proactively to assure the software process in fact does the right things well so it truly produces high quality cheaper, preventing errors or catching them earlier when they can be fixed more easily. This interactive webinar positions SQA and explains the six proactive functions it should perform to provide far greater value.
Seven Deadly Habits of Dysfunctional Software ManagersTechWell
As if releasing a quality software project on time were not difficult enough, poor management of planning, people, and process issues can be deadly to a project. Presenting a series of anti-pattern case studies, Ken Whitaker describes the most common deadly habits—and ways to avoid them. These seven killer habits are mishandling employee incentives; making key decisions by consensus; ignoring proven processes; delegating absolute control to a project manager; taking too long to negotiate a project’s scope; releasing an “almost tested” product to market; and hiring someone who is not quite qualified—but liked by everyone. Whether you are an experienced manager struggling with some of these issues or a new software manager, take away invaluable tips and techniques for correcting these habits—or better yet, for avoiding them altogether. As a bonus, every attendee will receive a copy of Ken’s full-color 7 Deadly Habits comic.
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
Software security is best built in. This presentation introduces three essential things to help you design more secure software. In order to have a secure foundation, you can create and select security requirements for your applications using evil user stories and utilizing existing material for example from OWASP.
Another useful skill is threat modeling which helps you to assess security already in the design phase. Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus penetration testing to the most risky parts of the system. The presentation covers various methods, such as the STRIDE model, for finding security and privacy threats.
You will also learn what kind of security related testing you can do without having any infosec background.
Similar to Security Code Review: Magic or Art? (20)
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
10. TAKE AWAYS
• Components of an effective secure code review process
• Simplified secure code review process
4 Softwar S cur
11. TAKE AWAYS
• Components of an effective secure code review process
• Simplified secure code review process
• How to kickoff your internal security code review process
4 Softwar S cur
13. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
5 Softwar S cur
14. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
5 Softwar S cur
15. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
5 Softwar S cur
16. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
• Find all instances of a certain vulnerability
5 Softwar S cur
17. WHAT DOES CODE REVIEW
DO BEST?
• Systematic approach to uncover security flaws
• Close to 100% code coverage
• Better at finding design flaws
• Find all instances of a certain vulnerability
• The only way to find certain types of vulnerabilities
5 Softwar S cur
46. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
11 Softwar S cur
47. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
11 Softwar S cur
48. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
11 Softwar S cur
49. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
11 Softwar S cur
50. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
• Confirmation and PoC: Weed out false positive
and confirm high-risk vulns.
11 Softwar S cur
51. IMPORTANT ASPECTS IN ANY
PROCESS
• Reconnaissance: Understand the app
• Threat Modeling: Enumerate inputs, threats and attack surface
• Automation: Low hanging fruits
• Manual Review: High-risk modules
• Confirmation and PoC: Weed out false positive
and confirm high-risk vulns.
• Reporting: Communication back to the development team.
11 Softwar S cur
52. FULL APPLICATION SECURITY
CODE REVIEW PROCESS
Reconnaissance!
Reporting! Threat Modelling!
Security
Skills! Checklist!
Tools!
Confirmation & PoC! Automation!
Manual Review!
12 Softwar S cur
53. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
13 Softwar S cur
54. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP*
OWASP TOP Top*10*
Checklists*
10 Driven
Tools*
Manual
Reporting
Review
13 Softwar S cur
55. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Automation OWASP Cheat
Iden=fica=on*
Sheets Series
OWASP*
OWASP TOP Top*10*
Checklists*
10 Driven
Tools*
Manual
Reporting
Review
13 Softwar S cur
56. DEFINE TRUST
BOUNDARY Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
14 Softwar S cur
57. TRUST BOUNDARY
• Trust Boundary is the virtual line where the trust level changes
• Privileges Change
• Untrusted Data Received
• Untrusted Data Sent
• Application’s Internal State Changes
Writing Secure Code, Second Edition Michael Howard and David LeBlanc
15 Softwar S cur
58. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
59. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
60. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
61. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
62. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
63. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
64. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
65. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
66. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
67. TRUST BOUNDARY -
EXAMPLE
Browser Front Controller DB
Data Access Layer
Business Objects
Internet
LAN
SOAP Client Web Services LDAP
Admin Front File
AD Server System
Controller
LAN
Admin Client
16 Softwar S cur
68. WAYS TO MARK TRUST
BOUNDARY
• Physical Source Code Separation.
• Naming Scheme
• Trust Boundary Safe: tbsProcessNameChange.java
• Trust Boundary UnSafe: tbuEditProfile.jsp
17 Softwar S cur
70. AUTOMATION
• Super Greps (keyword Search)
• Automated Unit-Tests
• Static Code Analysis Tools
19 Softwar S cur
71. AUTOMATION
STATIC CODE ANALYSIS TOOLS
• Security Code Review <> Running a Tool
Pros Cons
Scales Well False Positives
Low Hanging Fruit Application Logic Issues
Can be Taught New Tricks Collections
Frameworks
20 Softwar S cur
89. FILE UPLOADDOWNLOAD
FLAWS
An attacker can bypass
validation control
28 Softwar S cur
90. REPORTING Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
29 Softwar S cur
91. REPORTING
SQL Injection:
Location: sourceACMEPortalupdateinfo.aspx.cs:
Description: The code below is build dynamic sql statement using
• Weakness Metadata unvalidated data (i.e. name) which can lead to SQL Injection
51 SqlDataAdapter myCommand = new SqlDataAdapter(
• Thorough Description
52 "SELECT au_lname, au_fname FROM author WHERE
au_id = '" +
53 SSN.Text + "'", myConnection);
• Recommendation Priority: High
Recommendation: Use paramaterized SQL instead of dynamic
• Assign Appropriate Priority concatenation, refer to http://msdn.microsoft.com/en-us/library/
ff648339.aspx for details.
Owner: John Smith
30 Softwar S cur
92. SIMPLIFIED APPLICATION
SECURITY CODE REVIEW
PROCESS
Trust*Boundary*
Iden=fica=on* Automation
OWASP* Checklists*
Top*10*
Tools*
Manual
Reporting
Review
31 Softwar S cur