SlideShare a Scribd company logo

Software Development in the Age of Breaches

Download as PPTX, PDF
K
Karthik Bhat

98% of the attacks against applications are opportunistic. This means, vast majority of these attacks could be prevented by simply following "Defense Driven Development" methodology. A variant of Test Driven Development, this methodology puts emphasis on early detection, automation, and defensive coding styles. This presentation talks about what it is like to adopt Defense Driven Development.

Software
1 of 28
Opportunistic Indeed ! TalkTalk 150K + PII records compromised SQL Injection Ashley Madison 37 MM records compromised Weak VPN Authentication HomeDepot 56MM PII records compromised Weak Access Control Patreon 2.3MM PII records compromised Debugger in Prod 000WebHost 13.5MM PII records compromised Using old PHP version
Test Driven Development • Bugs increase security risk • Allows you to release faster • Fixing issues while in development is cheaper • Only way to prove that “My code works”
Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }
New Responsibility Model • At SecureDB, we have no testers. Only “Buddies” • “Buddies” are fellow developers that: – Test your code – Review your code – Give you feedback • Switch “Buddies” every sprint
Where would I even start? STEP 1: Find a comparable company in your space STEP 2: COPY IDEAS SHAMELESSLY Examples: You’re a social media co that has too many locked accounts. A: How many login attempts does Twitter Allow? You’re an e-commerce site worried about fake accounts. A: How does Amazon do it? Don’t re-invent the wheel
Two Factor Everything • Evaluate every service you use for TFA support - Hosting - Code Repos - Email - SSH Access - DNS - File sharing systems • If a vendor does not support TFA – Are they really worth your time and money?
Change Default Accounts • Default Admin Username/Password – Databases – Key Stores – Content Management Systems • Disable Unnecessary Services • Delete unwanted accounts
Firewall Effectively • Dev environment is only for Developers – Block access from internet – IP Based restrictions • Restrict SSH access – IP Based restrictions – Easy to setup • Ingress and Egress • Install WAF (It’s FREE)
Continuous Security (DevSecOps) • Provisioning a new VM – Install latest patches – Apply right firewall policies – Stop unwanted services – Start appropriate services • Run as part of the build: – Fuzzing Tests – Run vulnerability scans – Static Analysis – Dynamic Analysis
Input Validation • Trust nothing that comes from client • Every layer to do it’s own validation • Whitelist vs Blacklist? – Whitelist is better • Use well tested libraries – Or OWASP RegEx • Specifically Test for SQLi and XSS • Example
Output Escaping • Escape all content to be rendered • Use UI Frameworks that escape by default • Scan the code to check the usage of un- escaped methods • Example
Authentication Web Form Based Authentication Two Factor Authentication TOTP Text Message Social Logins Facebook Twitter Google Basic Authentication Digest Authentication OAuth Certificate Based Auth. JWT (with JWS/JWE) APIs
Authorization • Privilege Escalation attacks are common • Authz mechanisms – Role Based Access Control (RBAC) – Attribute Based Access (ABAC) • Do Authz checks at every layer – Cookies – JWT (Mobile Friendly)
White Hat Program • Allow white hat hackers to find security issues and report them to you • Explicit contract laying out what kind of attacks they could execute • Implicit contract that they won’t go public with it – And give you reasonable time to fix it • Make payments per bug and severity • Example
you are the best CISO … of your application You are the best CISO of your application
Questions?

Recommended

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
Francis Alexander
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 

Recommended

Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
Francis Alexander
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
Francis Alexander
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 

More Related Content

What's hot

2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
Francis Alexander
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
Tomasz Fajks
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 

What's hot (20)

2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Zap vs burp
Zap vs burpZap vs burp
Zap vs burp
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Similar to Software Development in the Age of Breaches

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
SecuRing
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Apostolos Giannakidis
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
Tabăra de Testare
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
owasp-pune
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 

Similar to Software Development in the Age of Breaches (20)

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
 

Recently uploaded

Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
varshanayak241
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 

Recently uploaded (20)

Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 

Software Development in the Age of Breaches

  • 1.
  • 2.
  • 3.
  • 4. Opportunistic Indeed ! TalkTalk 150K + PII records compromised SQL Injection Ashley Madison 37 MM records compromised Weak VPN Authentication HomeDepot 56MM PII records compromised Weak Access Control Patreon 2.3MM PII records compromised Debugger in Prod 000WebHost 13.5MM PII records compromised Using old PHP version
  • 5.
  • 6.
  • 7. Test Driven Development • Bugs increase security risk • Allows you to release faster • Fixing issues while in development is cheaper • Only way to prove that “My code works”
  • 8. Take it to the next level select version(); select current_database(); select current_user; select session_user; '));waitfor delay '0:0:3'-- "));waitfor delay '0:0:3'-- benchmark(10000000,MD5(1))# 1 or benchmark(10000000,MD5(1))# " or benchmark(10000000,MD5(1))# ' or benchmark(10000000,MD5(1))# getUserByName(first_name,last_name) { … }
  • 9.
  • 10. New Responsibility Model • At SecureDB, we have no testers. Only “Buddies” • “Buddies” are fellow developers that: – Test your code – Review your code – Give you feedback • Switch “Buddies” every sprint
  • 11.
  • 12.
  • 13. Where would I even start? STEP 1: Find a comparable company in your space STEP 2: COPY IDEAS SHAMELESSLY Examples: You’re a social media co that has too many locked accounts. A: How many login attempts does Twitter Allow? You’re an e-commerce site worried about fake accounts. A: How does Amazon do it? Don’t re-invent the wheel
  • 14.
  • 15. Two Factor Everything • Evaluate every service you use for TFA support - Hosting - Code Repos - Email - SSH Access - DNS - File sharing systems • If a vendor does not support TFA – Are they really worth your time and money?
  • 16. Change Default Accounts • Default Admin Username/Password – Databases – Key Stores – Content Management Systems • Disable Unnecessary Services • Delete unwanted accounts
  • 17. Firewall Effectively • Dev environment is only for Developers – Block access from internet – IP Based restrictions • Restrict SSH access – IP Based restrictions – Easy to setup • Ingress and Egress • Install WAF (It’s FREE)
  • 18.
  • 19. Continuous Security (DevSecOps) • Provisioning a new VM – Install latest patches – Apply right firewall policies – Stop unwanted services – Start appropriate services • Run as part of the build: – Fuzzing Tests – Run vulnerability scans – Static Analysis – Dynamic Analysis
  • 20.
  • 21. Input Validation • Trust nothing that comes from client • Every layer to do it’s own validation • Whitelist vs Blacklist? – Whitelist is better • Use well tested libraries – Or OWASP RegEx • Specifically Test for SQLi and XSS • Example
  • 22. Output Escaping • Escape all content to be rendered • Use UI Frameworks that escape by default • Scan the code to check the usage of un- escaped methods • Example
  • 23. Authentication Web Form Based Authentication Two Factor Authentication TOTP Text Message Social Logins Facebook Twitter Google Basic Authentication Digest Authentication OAuth Certificate Based Auth. JWT (with JWS/JWE) APIs
  • 24. Authorization • Privilege Escalation attacks are common • Authz mechanisms – Role Based Access Control (RBAC) – Attribute Based Access (ABAC) • Do Authz checks at every layer – Cookies – JWT (Mobile Friendly)
  • 25.
  • 26. White Hat Program • Allow white hat hackers to find security issues and report them to you • Explicit contract laying out what kind of attacks they could execute • Implicit contract that they won’t go public with it – And give you reasonable time to fix it • Make payments per bug and severity • Example
  • 27. you are the best CISO … of your application You are the best CISO of your application