The document provides an overview of key security engineering activities that should be integrated into the software development lifecycle (SDLC). It discusses securing each phase of development through threat modeling, secure coding practices like code reviews, and security testing. The goal is to build security into applications from the start to help prevent vulnerabilities and deliver more robust products.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
Cyber security and demonstration of security toolsVicky Fernandes
Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
This presentation describes penetration testing with a Who, What, Where, When, and How approach. In the presentation, you may discover the common pitfalls of a bad penetration test and you could identify a better one. You should be able to recognize and differentiate both looking at the methods (attitude) and result.
Cyber security and demonstration of security toolsVicky Fernandes
Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Basic Network Attacks
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Red team and blue team in ethical hackingVikram Khanna
Red team blue team work on two approaches, one attacks it while blue team defends it. View this presentation now to understand what is red team and blue team and its importance in ethical hacking!
Happy learning!!
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
The difference between Cybersecurity and Information SecurityPECB
Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of information technology (IT).
• The evolution of Cybersecurity
• Protecting Digital Assets
• Difference between Cybersecurity and Information Security
• Cybersecurity Objectives
• Future of Cybersecurity
Presenter:
Hafiz Adnan is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 11 years of significant, progressive experience in Information Technology field, focusing on Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service Management, Risk Management, Information Security & IT Service Management Audits, Software Project Management and Process Improvement.
Link of the recorded session published on YouTube: https://youtu.be/BA670iVPi5c
This presentation provides an introduction to cybersecurity. This presentation is a part of the Five days Faculty Development Program on Cybersecurity organized by the Department of Information Technology, Sri Ramakrishna Institute of Technology.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Basic Network Attacks
The active and passive attacks can be differentiated on the basis of what are they, how they are performed and how much extent of damage they cause to the system resources. But, majorly the active attack modifies the information and causes a lot of damage to the system resources and can affect its operation. Conversely, the passive attack does not make any changes to the system resources and therefore doesn’t causes any damage.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Red team and blue team in ethical hackingVikram Khanna
Red team blue team work on two approaches, one attacks it while blue team defends it. View this presentation now to understand what is red team and blue team and its importance in ethical hacking!
Happy learning!!
The CIA Triad - Assurance on Information SecurityBharath Rao
Confidentiality, Integrity and Availability of Data are the basis for providing assurance on IS Security. This document gives a small overview of the impact of confidentiality, integrity and availability on the data and the need of securing the CIA.
The difference between Cybersecurity and Information SecurityPECB
Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of information technology (IT).
• The evolution of Cybersecurity
• Protecting Digital Assets
• Difference between Cybersecurity and Information Security
• Cybersecurity Objectives
• Future of Cybersecurity
Presenter:
Hafiz Adnan is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 11 years of significant, progressive experience in Information Technology field, focusing on Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service Management, Risk Management, Information Security & IT Service Management Audits, Software Project Management and Process Improvement.
Link of the recorded session published on YouTube: https://youtu.be/BA670iVPi5c
This presentation provides an introduction to cybersecurity. This presentation is a part of the Five days Faculty Development Program on Cybersecurity organized by the Department of Information Technology, Sri Ramakrishna Institute of Technology.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Application Security Guide for Beginners Checkmarx
This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. From a secure software development lifecycle (SDLC) to the top threats facing applications and their impacts, this guide covers it all!
This guide is divided into the following categories:
-Code DevelopmentMethodologies
-Code
-Application SecuritySolutions
-Common threats and their impacts
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
This presentation gives the brief overview of the procedure that needs to be followed for performing manual code review while assessing the security of an application/service. There are two parts for this presentation. This first part covers some vulnerabilities and the second part covers remaining vulnerabilities.
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...QADay
Online Quality Assurance Day 2020 #2
ОЛЬГА АКСЬОНЕНКО
«Безпечна розробка програмного забезпечення в Agile проектах»
telegram: wwww.t.me/goqameetup
fb: www.fb.com/goqaevent
fb: www.fb.com/qaday.org
Сайт: www.qaday.org
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
The CompTIA Cybersecurity Analyst (CySA+) certification is the industry standard for demonstrating that cybersecurity professionals can analyze data and interpret the results to detect vulnerabilities, threats, and risks to an organization.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
How the CC Harmonizes with Secure Software Development Lifecycle @ ICCC 2013 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. whoami
Semi Yulianto
BSc. (Accounting), M.IT (IT Security & Governance)
Doctor in IT, Student at Graduate School of University of the East (Manila, Philippines)
MCT, MCDBA, MCTS, MCITP, MCSA, MCSE, MCT, CCNP, CWNA, CEH, ECSA, CHFI, ECSP, EDRP,
CND, CEI, SSCP, CISSP, CSSLP, CISA, CISM, CySA+, CASP, OSSA, CASE Java
Co-Founder & CEO, Chief Hacking Officer (CHO) of PT. Systech Global Informasi (SGI
Asia) // InfoSec Interim Consultant / Subject Matter Expert (SME) at PT. Trinusa
Travelindo (Traveloka) // Information Security/Cyber Security Practitioner, Consultant,
IS Auditor & Senior Technical Trainer // POJK & SEOJK Lead Auditor // US Military
Approved Instructor (USFK – United States Force in Korea) // Author of Writing an
Effective Penetration Testing Report: An Executive View (2014) course with 650+
enrolees (Pentest Magazine, Poland), also available in Amazon // Reviewer of Expert
Metasploit Penetration Testing (2013) video course (Packt Publishing, UK)
2
5. VULNERABILITIES IN SDLC PHASE (CONT)
Addressing security in each phase of the SDLC is the
most effective way to create highly secure applications.
Robust security-focused design principles followed by
rigorous security-focused coding, testing, and
deployment practices will lead to applications that can
stand up to attacks.
This will result in lower ownership costs for both, the
end user and the application vendor.
5
6. SECURING ENGINEERING
Securing Engineering presents an overview of
key security engineering activities that should
be an integral part of your application
development lifecycle.
Key objective is to include specific security-
related activities in your current software
engineering processes.
6
7. SECURING ENGINEERING ACTIVITIES
Identifying security objectives.
Applying secure design guidelines, patterns
and principles.
Creating threat models.
Conducting architecture and design reviews
for security.
Performing regular code reviews for security.
7
8. SECURING ENGINEERING ACTIVITIES (CONT)
Testing for security.
Conducting development reviews to ensure
secure configuration.
8
9. “ Security Engineering is a
specialized field of software
engineering that focuses on
the security aspects in the
design of systems that need
to be able to deal robustly with
possible sources of disruption
(e.g. malicious acts).
9
10. THE BIG
PICTURE
Both Securing Engineering and Security
Engineering focuses on the security
aspects in software or systems
development with the main objective IS to
deliver robust products. 10
12. SSE-CMM (CONT)
SSE-CMM (ISO/IEC 21827:2008) describes the
essential characteristics of an organization's
security engineering process that must exist
to ensure good security engineering.
ISO/IEC 21827:2008 does not prescribe a
particular process or sequence, but captures
practices generally observed in industry.
12
13. SSE-CMM COVERAGE AREAS
the entire life cycle, including development,
operation, maintenance and decommissioning
activities;
the whole organization, including
management, organizational and engineering
activities;
13
14. SSE-CMM COVERAGE AREAS (CONT)
concurrent interactions with other disciplines,
such as system, software, hardware, human
factors and test engineering; system
management, operation and maintenance;
interactions with other organizations,
including acquisition, system management,
certification, accreditation and evaluation.
14
15. LIFECYCLE INTEGRATION
15
CORE SECURITY
Planning
Requirements and
Analysis
Functional Requirements
Non-Functional
Requirements
Technology Requirements
Security Design Guidelines
Threat Modeling
Security Architecture and
Design Review
Development Unit Tests
Code Review
Daily Builds
Security Code Review
Testing Integration Testing
System Testing
Security Testing
Deployment Deployment Review Security Deployment
Review
Maintenance
22. “ Threat Modeling is the process
of discovering potential security
vulnerabilities in a design and
eliminating those weaknesses
or vulnerabilities before writing
any code, fits best during the
stage of planning and designing
a new feature. The main
objective is to create more
secure software. 22
23. OWASP THREAT MODELING
23
DREAD is a classification scheme for
quantifying, comparing and prioritizing the
amount of risk presented by each evaluated
threat.
Risk_DREAD = (DAMAGE + REPRODUCIBILITY
+ EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
32. “ Static Analysis or Secure
Code Review also known as
SAST is the process of
auditing the source code for
an application to verify that
the proper security controls
are present, that they work
as intended, and that they
have been invoked in all the
right places. 32
35. “ Dynamic Analysis or Run-time
Test also known as DAST is a
technology, which is able to find
visible vulnerabilities by feeding
a URL into an automated
scanner. Highly scalable, easily
integrated and quick, drawbacks
lie in the need for expert
configuration and the high
possibility of false positives and
negatives. 35
39. CASE STUDY - HACME BANK V2.0
Background:
Hacme Bank v2.0 application simulates a real-
world web services-enabled online banking
application, which was built with a number of
known and common vulnerabilities.
It allows users to attempt real exploits against a
web application and thus learn the specifics of
the issue and how best to fix it.
39
40. CASE STUDY - HACME BANK (CONT)
Testing Types:
Manual Exploration/Testing
Dynamic Analysis (Run-time Test)
Static Analysis (Secure Code Review)
40
42. CAREERS IN SOFTWARE SECURITY
Application Security
Engineer
Security Architect
Security Analyst
Information Security
Specialist
IT Security Engineer
Software QA
42
Test Engineer
Penetration Tester
IT Security Auditor
Source Code Auditor
DevOps Engineer
IT Security Consultant
43. SECURE CODING/SDLC TRAINING
EC-COUNCIL Certified Secure Programmer (ECSP)
Java & .NET
EC-COUNCIL Certified Application Security
Engineer (CASE) Java & .NET
ISC2 Certified Secure Software Lifecycle
Professional (CSSLP)
ISC2 Certified Information Systems Security
Professional (CISSP)
43
44. PROJECTS
Secure Coding Best Practices (Bahasa Indonesia
Version) - Draft Version 0.1
Secure Coding/SDLC Awareness Training for
Developers and InfoSec Professionals
Applications Threat and Vulnerability Database
with Risk Ranking (Web and Mobile)
44
45. 45
THANKS!
Any questions?
You can find me at:
semi.yulianto2009@gmail.com
+62 858 1325 6600
https://www.linkedin.com/in/semiyulianto/