SlideShare a Scribd company logo

Security for devs

Download as PPTX, PDF
A
Abdelrhman Shawky

Security for devs workshop

Software
1 of 20
SECURITY FOR DEVELOPERS @shawkyz1 @shawkyz
ABOUT ME • Built multiple CI/CD Pipelines for businesses with different needs. • Lived 4 Years in Germany and now I’m back to ‫الوطن‬ ‫أرض‬ • A Software Engineer at day, a Hacker by night. • Love to automate everything. • In love with Security and an OSCP Holder. • Technical Consultant @S3Geeks • Security and Systems Engineer @FuturaSolutionsGmbH
SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
• Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Thread Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
•What happens when you write a url in a browser and press enter?
HOW HTTP WORKS
• GET requests a specific resource in its entirety • HEAD requests a specific resource without the body content • POST adds content, messages, or data to a new page under an existing web resource • PUT directly modifies an existing web resource or creates a new URI if need be • DELETE gets rid of a specified resource • TRACE shows users any changes or additions made to a web resource • OPTIONS shows users which HTTP methods are available for a specific URL • CONNECT converts the request connection to a transparent TCP/IP tunnel • PATCH partially modifies a web resource HTTP REQUESTS
HTTP HEADERS • Origin • Accept • Accept-Encoding • Cookie • Cache-Control • Dnt but many more exist.
HTTP RESPONSES • 200 OK • 404 Not Found • 403 Forbidden • 301 Moved Permanently • 500 Internal Server Error • 304 Not Modified • 401 Unauthorized
OWASP TOP 10
RESOURCE FOR DEVS? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
LET‘S DO SOME HACKING •DEMO WEBGOAT.NET
VULNERABILITY RATING •What is CVSS?
• Define your app Scope. • Regular and Internal Penetration tests. • Bug Bounty? Let the crowd hack you. SECURITY TESTS
HOW TO YOU APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations.
HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.
SECURE YOUR CI/CD • Code Analysis. Analyze code for application specific vulnerabilities. • Container Hardening. Remove unneeded libraries and packages; restrict functions. • Image Scanning. Scan images for vulnerabilities at build; regularly in registries. • Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification. • User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment tools. • Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings. • Access Controls. Enable restricted access to system and Docker daemon. • Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
SECURE YOUR CI/CD • Network Inspection & Visualization. Inspect all container to container connections and build visualization for application stack behavior. • Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application attacks. • Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to predict break outs and attacks. • Packet Capture & Event Logging. Capture packets and event logs to enable forensics.
FOLLOW ME? @shawkyz1 @shawkyz @shawkyz1 https://shawkyz.info abdelrhmanshawky4@gmail.com

Recommended

JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakarta_EE
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
JBCNConf 2017 - Building microservices with Vert.x
JBCNConf 2017 - Building microservices with Vert.xJBCNConf 2017 - Building microservices with Vert.x
JBCNConf 2017 - Building microservices with Vert.xBert Jan Schrijver
 
GeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National PoliceGeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management EventVersion Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management EventDelta-N
 

Recommended

JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native CompanionJakarta_EE
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
How Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupHow Class Data Sharing Can Speed up Your Jakarta EE Application Startup
How Class Data Sharing Can Speed up Your Jakarta EE Application StartupRudy De Busscher
 
JBCNConf 2017 - Building microservices with Vert.x
JBCNConf 2017 - Building microservices with Vert.xJBCNConf 2017 - Building microservices with Vert.x
JBCNConf 2017 - Building microservices with Vert.xBert Jan Schrijver
 
GeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National PoliceGeekOut 2017 - Microservices in action at the Dutch National Police
GeekOut 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management EventVersion Control in TFS 2013: GIT - 2013 Application Lifecycle Management Event
Version Control in TFS 2013: GIT - 2013 Application Lifecycle Management EventDelta-N
 
Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013sqlserver.co.il
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinDocker, Inc.
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckRundeck
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLREduardo Piairo
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container NetworkingVipin Jain
 
Software Carpentry - Version control slides
Software Carpentry - Version control slidesSoftware Carpentry - Version control slides
Software Carpentry - Version control slidesanpawlik
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices PlatformAlaa Qutaish
 
MicroService Architecture
MicroService ArchitectureMicroService Architecture
MicroService ArchitectureMd. Hasan Basri (Angel)
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4J[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4JWSO2
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLREduardo Piairo
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices ArchitectureSrinivasan Nanduri
 
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleIstio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleMofizur Rahman
 
OpenShift for Triangle JavaUG
OpenShift for Triangle JavaUGOpenShift for Triangle JavaUG
OpenShift for Triangle JavaUGSteve Speicher
 
Single Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik KnopSingle Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik KnopPerforce
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 
DevOps intro
DevOps introDevOps intro
DevOps introAbdelrhman Shawky
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
Containers and Microservices for Realists
Containers and Microservices for RealistsContainers and Microservices for Realists
Containers and Microservices for RealistsOracle Developers
 

More Related Content

What's hot

Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013sqlserver.co.il
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinDocker, Inc.
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckRundeck
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container NetworkingVipin Jain
 
Software Carpentry - Version control slides
Software Carpentry - Version control slidesSoftware Carpentry - Version control slides
Software Carpentry - Version control slidesanpawlik
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices PlatformAlaa Qutaish
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentLibbySchulze
 
[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4J[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4JWSO2
 
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleIstio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleMofizur Rahman
 
OpenShift for Triangle JavaUG
OpenShift for Triangle JavaUGOpenShift for Triangle JavaUG
OpenShift for Triangle JavaUGSteve Speicher
 
Single Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik KnopSingle Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik KnopPerforce
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopVelocidex Enterprises
 

What's hot (19)

Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013
 
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt BaldwinApplication Deployment and Management at Scale with 1&1 by Matt Baldwin
Application Deployment and Management at Scale with 1&1 by Matt Baldwin
 
Mastering Secrets Management in Rundeck
Mastering Secrets Management in RundeckMastering Secrets Management in Rundeck
Mastering Secrets Management in Rundeck
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container Networking
 
Software Carpentry - Version control slides
Software Carpentry - Version control slidesSoftware Carpentry - Version control slides
Software Carpentry - Version control slides
 
EVE Microservices Platform
EVE Microservices PlatformEVE Microservices Platform
EVE Microservices Platform
 
MicroService Architecture
MicroService ArchitectureMicroService Architecture
MicroService Architecture
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Cloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy AgentCloud native policy enforcement with Open Policy Agent
Cloud native policy enforcement with Open Policy Agent
 
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
Javantura v4 - True RESTful Java Web Services with JSON API and Katharsis - M...
 
[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4J[WSO2Con EU 2017] Writing Microservices Using MSF4J
[WSO2Con EU 2017] Writing Microservices Using MSF4J
 
SQL Server 2017 CLR
SQL Server 2017 CLRSQL Server 2017 CLR
SQL Server 2017 CLR
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
 
Istio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at ScaleIstio Mesh – Managing Container Deployments at Scale
Istio Mesh – Managing Container Deployments at Scale
 
OpenShift for Triangle JavaUG
OpenShift for Triangle JavaUGOpenShift for Triangle JavaUG
OpenShift for Triangle JavaUG
 
Single Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik KnopSingle Source of Truth in a Distributed World by Sven Erik Knop
Single Source of Truth in a Distributed World by Sven Erik Knop
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 

Similar to Security for devs

12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
Containers and Microservices for Realists
Containers and Microservices for RealistsContainers and Microservices for Realists
Containers and Microservices for RealistsOracle Developers
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realistsKarthik Gaekwad
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realistsKarthik Gaekwad
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAdam Getchell
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerAmazon Web Services
 
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...Jon Peck
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdfNilesh Gule
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiDataWorks Summit
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool sangam biradar
 
Staying Close to Experts with Executable Specifications
Staying Close to Experts with Executable SpecificationsStaying Close to Experts with Executable Specifications
Staying Close to Experts with Executable SpecificationsVagif Abilov
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerBrett Palmer
 
Continuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket PipelinesContinuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket PipelinesAtlassian
 

Similar to Security for devs (20)

DevOps intro
DevOps introDevOps intro
DevOps intro
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
Containers and Microservices for Realists
Containers and Microservices for RealistsContainers and Microservices for Realists
Containers and Microservices for Realists
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realists
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realists
 
Agile Secure Cloud Application Development Management
Agile Secure Cloud Application Development ManagementAgile Secure Cloud Application Development Management
Agile Secure Cloud Application Development Management
 
Continuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and DockerContinuous Integration with Amazon ECS and Docker
Continuous Integration with Amazon ECS and Docker
 
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
Auditing Drupal Sites for Performance, Content and Optimal Configuration - SA...
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko VancsaStarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
15-factor-apps.pdf
15-factor-apps.pdf15-factor-apps.pdf
15-factor-apps.pdf
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
BYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFiBYOP: Custom Processor Development with Apache NiFi
BYOP: Custom Processor Development with Apache NiFi
 
Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool Terrascan - Cloud Native Security Tool
Terrascan - Cloud Native Security Tool
 
Staying Close to Experts with Executable Specifications
Staying Close to Experts with Executable SpecificationsStaying Close to Experts with Executable Specifications
Staying Close to Experts with Executable Specifications
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOps
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with Docker
 
Continuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket PipelinesContinuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket Pipelines
 

Recently uploaded

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 

Recently uploaded (20)

Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 

Security for devs

  • 2. ABOUT ME • Built multiple CI/CD Pipelines for businesses with different needs. • Lived 4 Years in Germany and now I’m back to ‫الوطن‬ ‫أرض‬ • A Software Engineer at day, a Hacker by night. • Love to automate everything. • In love with Security and an OSCP Holder. • Technical Consultant @S3Geeks • Security and Systems Engineer @FuturaSolutionsGmbH
  • 3. SDLC (SOFTWARE DEVELOPMENT LIFECYCLE) • A Software Development Life Cycle (SDLC) is a framework that defines the process used by organizations to build an application from its inception to its decommission. Over the years, multiple standard SDLC models have been proposed (Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual circumstances.
  • 4. • Planning and requirements. • Architecture and design. • Test planning. • Coding. • Testing and results. • Release and maintenance. SDLC PHASES
  • 5. SECURE YOUR SDLC ACCORDING TO MICROSOFT • Provide Training. • Define Security Requirements. • Perform Thread Modeling. • Define and Use Cryptography Standards. • Follow Best Practices. • Perform Static Analysis. • Perform Dynamic Analysis. • Regularly Pentest. • Establish Incident Response Mechanism. Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices
  • 6. •What happens when you write a url in a browser and press enter?
  • 8. • GET requests a specific resource in its entirety • HEAD requests a specific resource without the body content • POST adds content, messages, or data to a new page under an existing web resource • PUT directly modifies an existing web resource or creates a new URI if need be • DELETE gets rid of a specified resource • TRACE shows users any changes or additions made to a web resource • OPTIONS shows users which HTTP methods are available for a specific URL • CONNECT converts the request connection to a transparent TCP/IP tunnel • PATCH partially modifies a web resource HTTP REQUESTS
  • 9. HTTP HEADERS • Origin • Accept • Accept-Encoding • Cookie • Cache-Control • Dnt but many more exist.
  • 10. HTTP RESPONSES • 200 OK • 404 Not Found • 403 Forbidden • 301 Moved Permanently • 500 Internal Server Error • 304 Not Modified • 401 Unauthorized
  • 12. RESOURCE FOR DEVS? • Troy Hunt‘s OWASP Top 10 for .NET developers • https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf • OWASP TOP 10 2017 • https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  • 13. LET‘S DO SOME HACKING •DEMO WEBGOAT.NET
  • 15. • Define your app Scope. • Regular and Internal Penetration tests. • Bug Bounty? Let the crowd hack you. SECURITY TESTS
  • 16. HOW TO YOU APPLY BEST PRACTICES • Always check OWASP‘s Best practices for a certain vulnerability. • Look for OWASP‘s Library/Framework Recommendations.
  • 17. HOW DO I KNOW ABOUT NEW 0DAYS? • Check if your local CERT if they offer a newsletter. • Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html • Regrularly Update Libraries/Frameworks you‘re using.
  • 18. SECURE YOUR CI/CD • Code Analysis. Analyze code for application specific vulnerabilities. • Container Hardening. Remove unneeded libraries and packages; restrict functions. • Image Scanning. Scan images for vulnerabilities at build; regularly in registries. • Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification. • User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment tools. • Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings. • Access Controls. Enable restricted access to system and Docker daemon. • Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
  • 19. SECURE YOUR CI/CD • Network Inspection & Visualization. Inspect all container to container connections and build visualization for application stack behavior. • Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application attacks. • Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to predict break outs and attacks. • Packet Capture & Event Logging. Capture packets and event logs to enable forensics.