SlideShare a Scribd company logo

Software Security by Glenn Wilson

Download as PPTX, PDF
A
Alex Cachia

There are many ways to secure software. In this talk, I will explain some of the different techniques used to prevent introducing security vulnerabilities into your software, using threat modelling, automated testing and dependency validation.

1 of 25
Software Security With Glenn Wilson
@Dynaminet /glennwilson Glenn Wilson Cybersecurity specialist, CTO & Founder
February 2020 @Dynaminet 2 © Alamy (https://www.alamy.com/)
How secure is my software? February 2020 @Dynaminet 3
The 5 key practices for more secure software: Good design Security Testing Dependency checking Protect your Source Code Education February 2020 @Dynaminet 4
Good design doesn’t cost, but it pays! February 2020 @Dynaminet 5
February 2020 @Dynaminet 6 Produce Clean Maintainable Code
NEVER STORE PASSWORDS IN PLAIN TEXT…. EVER! • Use STRONG hashing • Use Salted values (randomised!!) Build in Multifactor Authentication (MFA) • Something your user knows • Something your user has • Something your user is Enforce Password policies • Password rotation • Password strength February 2020 @Dynaminet 7
Use STRONG Encryption… EVERYWHERE • No excuse for weak encryption • Encrypt Data at Rest and Data in Transit Asymmetric Encryption • Used for authentication and confidentiality • Public key can be shared • Private key must be kept secret / stored securely Symmetric Key • Sender and user use same key • Use with HMAC February 2020 @Dynaminet 8
Validate ALLinput • User input • Query string parameters • API parameters • Validate EVERY VALUE (zero trust) Use Whitelisting • IP Addresses • Trusted Domain Names (be explicit) • Valid Characters Avoid Implicit Serialisation • Explicitly define object state February 2020 @Dynaminet 9 ✓ ✗
Always Enable / Configure Security Related Headers • Control your response / request headers Content Security Policy (CSP) • Set policies in Content-Security-Policy header • Defend against Cross Site Scripting (XSS) • Prevents packet sniffing Cross-Origin Resource Sharing (CORS) • Set Access-Control-Allow-Origin headers appropriately • Set CDN / external JavaScript / CSS libraries and public API endpoints February 2020 @Dynaminet 10
Always Log Security Events • Authentication / Authorisation Failures • Application / System Errors • Suspicious / Unexpected Behaviour Keep Logs Secure • Prevent Attackers from Hiding Their Tracks • Prevent Data Leaks Do NOT Log Data Illegally / Unnecessarily, such as: • Access Tokens • Personally Identifiable Information (PII) • Secrets / Encryption Keys • Payment Data February 2020 @Dynaminet 11
All Code Is Guilty Until Proven Innocent February 2020 @Dynaminet 12
February 2020 @Dynaminet 13 Unit Tests Pen Tests Static Application Security Tests Integration Security Tests slower faster more expensive cheaper
Write Security Unit Test Cases: • Identity, Authentication & Access Control • Input Validation & Encoding • Encryption • User and Session Management • Error and Exception Handling • Auditing and Logging February 2020 @Dynaminet 14 ✓✗ ✓ ✓ ✓ ✓ ✓ ✓
Use Static Code Analysis Tools • Integrate into IDE / CI/CD Pipeline • Identifies Most Common Source Code Vulnerabilities • Scans Source Code or Binaries Top SAST Tools Include: • Checkmarx • Veracode • Fortify on Demand • SonarQube • HCL AppScan BUT… • Can Generate Many False Positives • Bound to Specific Technologies February 2020 @Dynaminet 15
Automate Tests Beyond Source Code Using DAST, IAST and RASP • Dynamic Application Security Testing • Simulates Real Attacks • Integrates into CI/CD Pipeline • Interactive Application Security Testing • Runtime instrumentation used in TESTING • Identifies Events at Runtime that may have Security Relevance • Runtime Application Self Protection • Runtime Instrumentation used in PRODUCTION • Prevents Exploitation of Common Vulnerabilities February 2020 @Dynaminet 16
Use Penetration Testers Exploit Vulnerabilities in your Code • They use complex chains of vulnerabilities not Identified by Automated Tests • Imitate Hackers and use Hacker Tools • Provide a Report of Vulnerabilities BUT… • Do NOT rely EXCLUSIVELY on Pen Testing • Usually Performed TOO LATE in the SDLC for developers February 2020 @Dynaminet 17
“Before software can be reusable it first has to be usable” - Ralph Johnson February 2020 @Dynaminet 18
Check that your Free Open Source Software are not Vulnerable • Use Scanning Tools to Scan your Dependencies • Known Vulnerabilities are Exploited by Hackers • CVEs are Publicly Available (mitre.org) • Patch!!! • Use Scanning Tools Directly in your IDE – UPDATE LIBS QUICKLY in DEV • SCAN CONTAINERS – they bring a whole bunch of vulnerabilities with them!!!! February 2020 @Dynaminet 19
”It’s not enough for code to work” – Robert C. Martin February 2020 @Dynaminet 20
Secure your Source Code… ALWAYS • Secure the Development Environment • Keep it separate from Production • Flexible Security – don’t Hinder Development • Protect the Source Code Repository • Access Controls • Monitor for Unusual Code Changes (e.g. external) • Secure the Build and Deployment Pipeline • Control Secrets and Credentials • Automate • Only Promote TRUSTED Branches February 2020 @Dynaminet 21
“Knowledge is a weapon. I intend to be formidably armed.”― Terry Goodkind February 2020 @Dynaminet 22
February 2020 @Dynaminet 23
February 2020 @Dynaminet 24 &

Recommended

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran Tal
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentation
Michael Furman
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
Volodymyr Kimak "Security Tips for Android App"
Volodymyr Kimak "Security Tips for Android App"Volodymyr Kimak "Security Tips for Android App"
Volodymyr Kimak "Security Tips for Android App"
Igor Beliaiev
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
5h1vang
 

Recommended

Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran tal Stranger Danger Security vulnerabilities - Negev Web Developers mee...
Liran Tal
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
Top 3 tips for security documentation
Top 3 tips for security documentationTop 3 tips for security documentation
Top 3 tips for security documentation
Michael Furman
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
Volodymyr Kimak "Security Tips for Android App"
Volodymyr Kimak "Security Tips for Android App"Volodymyr Kimak "Security Tips for Android App"
Volodymyr Kimak "Security Tips for Android App"
Igor Beliaiev
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics
gocybersec
 
iSyndica - Building an API
iSyndica - Building an APIiSyndica - Building an API
iSyndica - Building an APIe27
 
Feeding the Virtual Patch Pipeline
Feeding the Virtual Patch PipelineFeeding the Virtual Patch Pipeline
Feeding the Virtual Patch Pipeline
DevOps.com
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
API First
API FirstAPI First
API First
Kirsten Hunter
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
Chema Alonso
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!
Michele Butcher
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) Exposed
Eugene Tawiah
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
Ammar WK
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Katy Anton
 

More Related Content

What's hot

Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics
gocybersec
 
iSyndica - Building an API
iSyndica - Building an APIiSyndica - Building an API
iSyndica - Building an APIe27
 
Feeding the Virtual Patch Pipeline
Feeding the Virtual Patch PipelineFeeding the Virtual Patch Pipeline
Feeding the Virtual Patch Pipeline
DevOps.com
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secure
IIMBNSRCEL
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Chema Alonso
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
API First
API FirstAPI First
API First
Kirsten Hunter
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
Chema Alonso
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!
Michele Butcher
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) Exposed
Eugene Tawiah
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
Ammar WK
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 

What's hot (20)

Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics
 
iSyndica - Building an API
iSyndica - Building an APIiSyndica - Building an API
iSyndica - Building an API
 
Feeding the Virtual Patch Pipeline
Feeding the Virtual Patch PipelineFeeding the Virtual Patch Pipeline
Feeding the Virtual Patch Pipeline
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secure
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
API First
API FirstAPI First
API First
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!Passwords, Attakcks, and Security, oh my!
Passwords, Attakcks, and Security, oh my!
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 
Ha(Attackers) Exposed
Ha(Attackers) ExposedHa(Attackers) Exposed
Ha(Attackers) Exposed
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 

Similar to Software Security by Glenn Wilson

Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Katy Anton
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Advanced monitoring
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
WSO2
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
Tim Mackey
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
WSO2
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
Davide Cioccia
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
rmortiz66
 

Similar to Software Security by Glenn Wilson (20)

Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Open source iam value, benefits, and risks
Open source iam value, benefits, and risksOpen source iam value, benefits, and risks
Open source iam value, benefits, and risks
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
 

More from Alex Cachia

No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
Alex Cachia
 
Supporting IT by David Meares
Supporting IT by David MearesSupporting IT by David Meares
Supporting IT by David Meares
Alex Cachia
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
Alex Cachia
 
If you think open source is not for you, think again by Jane Chakravorty
If you think open source is not for you, think again by Jane ChakravortyIf you think open source is not for you, think again by Jane Chakravorty
If you think open source is not for you, think again by Jane Chakravorty
Alex Cachia
 
Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...
Alex Cachia
 
A brief overview of the history and practice of user experience by Ian Westbrook
A brief overview of the history and practice of user experience by Ian WestbrookA brief overview of the history and practice of user experience by Ian Westbrook
A brief overview of the history and practice of user experience by Ian Westbrook
Alex Cachia
 
Return the carriage, feed the line by Aaron Taylor
Return the carriage, feed the line by Aaron TaylorReturn the carriage, feed the line by Aaron Taylor
Return the carriage, feed the line by Aaron Taylor
Alex Cachia
 
Treating your career path and training like leveling up in games by Raymond C...
Treating your career path and training like leveling up in games by Raymond C...Treating your career path and training like leveling up in games by Raymond C...
Treating your career path and training like leveling up in games by Raymond C...
Alex Cachia
 
Digital forensics and giving evidence by Jonathan Haddock
Digital forensics and giving evidence by Jonathan Haddock Digital forensics and giving evidence by Jonathan Haddock
Digital forensics and giving evidence by Jonathan Haddock
Alex Cachia
 
Data Preparation and the Importance of How Machines Learn by Rebecca Vickery
Data Preparation and the Importance of How Machines Learn by Rebecca VickeryData Preparation and the Importance of How Machines Learn by Rebecca Vickery
Data Preparation and the Importance of How Machines Learn by Rebecca Vickery
Alex Cachia
 
Why Rust? by Edd Barrett (codeHarbour December 2019)
Why Rust? by Edd Barrett (codeHarbour December 2019)Why Rust? by Edd Barrett (codeHarbour December 2019)
Why Rust? by Edd Barrett (codeHarbour December 2019)
Alex Cachia
 
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
Alex Cachia
 
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
Alex Cachia
 
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
Alex Cachia
 
Revving up with Reinforcement Learning by Ricardo Sueiras
Revving up with Reinforcement Learning by Ricardo SueirasRevving up with Reinforcement Learning by Ricardo Sueiras
Revving up with Reinforcement Learning by Ricardo Sueiras
Alex Cachia
 
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
Alex Cachia
 
Seeking Simplicity by Phil Nash (codeHarbour June 2019)
Seeking Simplicity by Phil Nash (codeHarbour June 2019)Seeking Simplicity by Phil Nash (codeHarbour June 2019)
Seeking Simplicity by Phil Nash (codeHarbour June 2019)
Alex Cachia
 
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
Alex Cachia
 
Managing technical debt by Chris Willmott (codeHarbour April 2019)
Managing technical debt by Chris Willmott (codeHarbour April 2019)Managing technical debt by Chris Willmott (codeHarbour April 2019)
Managing technical debt by Chris Willmott (codeHarbour April 2019)
Alex Cachia
 
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
Alex Cachia
 

More from Alex Cachia (20)

No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...
 
Supporting IT by David Meares
Supporting IT by David MearesSupporting IT by David Meares
Supporting IT by David Meares
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 
If you think open source is not for you, think again by Jane Chakravorty
If you think open source is not for you, think again by Jane ChakravortyIf you think open source is not for you, think again by Jane Chakravorty
If you think open source is not for you, think again by Jane Chakravorty
 
Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...
 
A brief overview of the history and practice of user experience by Ian Westbrook
A brief overview of the history and practice of user experience by Ian WestbrookA brief overview of the history and practice of user experience by Ian Westbrook
A brief overview of the history and practice of user experience by Ian Westbrook
 
Return the carriage, feed the line by Aaron Taylor
Return the carriage, feed the line by Aaron TaylorReturn the carriage, feed the line by Aaron Taylor
Return the carriage, feed the line by Aaron Taylor
 
Treating your career path and training like leveling up in games by Raymond C...
Treating your career path and training like leveling up in games by Raymond C...Treating your career path and training like leveling up in games by Raymond C...
Treating your career path and training like leveling up in games by Raymond C...
 
Digital forensics and giving evidence by Jonathan Haddock
Digital forensics and giving evidence by Jonathan Haddock Digital forensics and giving evidence by Jonathan Haddock
Digital forensics and giving evidence by Jonathan Haddock
 
Data Preparation and the Importance of How Machines Learn by Rebecca Vickery
Data Preparation and the Importance of How Machines Learn by Rebecca VickeryData Preparation and the Importance of How Machines Learn by Rebecca Vickery
Data Preparation and the Importance of How Machines Learn by Rebecca Vickery
 
Why Rust? by Edd Barrett (codeHarbour December 2019)
Why Rust? by Edd Barrett (codeHarbour December 2019)Why Rust? by Edd Barrett (codeHarbour December 2019)
Why Rust? by Edd Barrett (codeHarbour December 2019)
 
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...
 
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)
 
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)
 
Revving up with Reinforcement Learning by Ricardo Sueiras
Revving up with Reinforcement Learning by Ricardo SueirasRevving up with Reinforcement Learning by Ricardo Sueiras
Revving up with Reinforcement Learning by Ricardo Sueiras
 
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)
 
Seeking Simplicity by Phil Nash (codeHarbour June 2019)
Seeking Simplicity by Phil Nash (codeHarbour June 2019)Seeking Simplicity by Phil Nash (codeHarbour June 2019)
Seeking Simplicity by Phil Nash (codeHarbour June 2019)
 
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)
 
Managing technical debt by Chris Willmott (codeHarbour April 2019)
Managing technical debt by Chris Willmott (codeHarbour April 2019)Managing technical debt by Chris Willmott (codeHarbour April 2019)
Managing technical debt by Chris Willmott (codeHarbour April 2019)
 
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

Software Security by Glenn Wilson

  • 3. February 2020 @Dynaminet 2 © Alamy (https://www.alamy.com/)
  • 4. How secure is my software? February 2020 @Dynaminet 3
  • 5. The 5 key practices for more secure software: Good design Security Testing Dependency checking Protect your Source Code Education February 2020 @Dynaminet 4
  • 6. Good design doesn’t cost, but it pays! February 2020 @Dynaminet 5
  • 7. February 2020 @Dynaminet 6 Produce Clean Maintainable Code
  • 8. NEVER STORE PASSWORDS IN PLAIN TEXT…. EVER! • Use STRONG hashing • Use Salted values (randomised!!) Build in Multifactor Authentication (MFA) • Something your user knows • Something your user has • Something your user is Enforce Password policies • Password rotation • Password strength February 2020 @Dynaminet 7
  • 9. Use STRONG Encryption… EVERYWHERE • No excuse for weak encryption • Encrypt Data at Rest and Data in Transit Asymmetric Encryption • Used for authentication and confidentiality • Public key can be shared • Private key must be kept secret / stored securely Symmetric Key • Sender and user use same key • Use with HMAC February 2020 @Dynaminet 8
  • 10. Validate ALLinput • User input • Query string parameters • API parameters • Validate EVERY VALUE (zero trust) Use Whitelisting • IP Addresses • Trusted Domain Names (be explicit) • Valid Characters Avoid Implicit Serialisation • Explicitly define object state February 2020 @Dynaminet 9 ✓ ✗
  • 11. Always Enable / Configure Security Related Headers • Control your response / request headers Content Security Policy (CSP) • Set policies in Content-Security-Policy header • Defend against Cross Site Scripting (XSS) • Prevents packet sniffing Cross-Origin Resource Sharing (CORS) • Set Access-Control-Allow-Origin headers appropriately • Set CDN / external JavaScript / CSS libraries and public API endpoints February 2020 @Dynaminet 10
  • 12. Always Log Security Events • Authentication / Authorisation Failures • Application / System Errors • Suspicious / Unexpected Behaviour Keep Logs Secure • Prevent Attackers from Hiding Their Tracks • Prevent Data Leaks Do NOT Log Data Illegally / Unnecessarily, such as: • Access Tokens • Personally Identifiable Information (PII) • Secrets / Encryption Keys • Payment Data February 2020 @Dynaminet 11
  • 13. All Code Is Guilty Until Proven Innocent February 2020 @Dynaminet 12
  • 14. February 2020 @Dynaminet 13 Unit Tests Pen Tests Static Application Security Tests Integration Security Tests slower faster more expensive cheaper
  • 15. Write Security Unit Test Cases: • Identity, Authentication & Access Control • Input Validation & Encoding • Encryption • User and Session Management • Error and Exception Handling • Auditing and Logging February 2020 @Dynaminet 14 ✓✗ ✓ ✓ ✓ ✓ ✓ ✓
  • 16. Use Static Code Analysis Tools • Integrate into IDE / CI/CD Pipeline • Identifies Most Common Source Code Vulnerabilities • Scans Source Code or Binaries Top SAST Tools Include: • Checkmarx • Veracode • Fortify on Demand • SonarQube • HCL AppScan BUT… • Can Generate Many False Positives • Bound to Specific Technologies February 2020 @Dynaminet 15
  • 17. Automate Tests Beyond Source Code Using DAST, IAST and RASP • Dynamic Application Security Testing • Simulates Real Attacks • Integrates into CI/CD Pipeline • Interactive Application Security Testing • Runtime instrumentation used in TESTING • Identifies Events at Runtime that may have Security Relevance • Runtime Application Self Protection • Runtime Instrumentation used in PRODUCTION • Prevents Exploitation of Common Vulnerabilities February 2020 @Dynaminet 16
  • 18. Use Penetration Testers Exploit Vulnerabilities in your Code • They use complex chains of vulnerabilities not Identified by Automated Tests • Imitate Hackers and use Hacker Tools • Provide a Report of Vulnerabilities BUT… • Do NOT rely EXCLUSIVELY on Pen Testing • Usually Performed TOO LATE in the SDLC for developers February 2020 @Dynaminet 17
  • 19. “Before software can be reusable it first has to be usable” - Ralph Johnson February 2020 @Dynaminet 18
  • 20. Check that your Free Open Source Software are not Vulnerable • Use Scanning Tools to Scan your Dependencies • Known Vulnerabilities are Exploited by Hackers • CVEs are Publicly Available (mitre.org) • Patch!!! • Use Scanning Tools Directly in your IDE – UPDATE LIBS QUICKLY in DEV • SCAN CONTAINERS – they bring a whole bunch of vulnerabilities with them!!!! February 2020 @Dynaminet 19
  • 21. ”It’s not enough for code to work” – Robert C. Martin February 2020 @Dynaminet 20
  • 22. Secure your Source Code… ALWAYS • Secure the Development Environment • Keep it separate from Production • Flexible Security – don’t Hinder Development • Protect the Source Code Repository • Access Controls • Monitor for Unusual Code Changes (e.g. external) • Secure the Build and Deployment Pipeline • Control Secrets and Credentials • Automate • Only Promote TRUSTED Branches February 2020 @Dynaminet 21
  • 23. “Knowledge is a weapon. I intend to be formidably armed.”― Terry Goodkind February 2020 @Dynaminet 22

Editor's Notes

  1. We’re all familiar with the dangers of being hacked: Data exfiltration Ransomware Sabotage
  2. As software engineers, architects, tester, we are all responsible for securing software. But what does this entail?
  3. Good software starts with good design “Good design doesn’t cost, but it pays”
  4. Cannot say this loud enough or clear enough!!!!
  5. Randomised = use cryptographically safe random generators such as CryptGenRandom in Windows and uRandom in UNIX Something your user knows = pin / password Something your user has = mobile device / hardware token Something your user is = facial recognition / fingerprint
  6. Data in Transit = avoid using SSL or older versions of TLS. You should use TLS 1.2 as a minimum know when and how to use asymmetric keys versus symmetric keys Never share a private key used for encryption HMAC = Hash-based Message Authentication Code (used to verify integrity and authenticity of a message)
  7. Whitelisting = ensure that only characters that are permitted can be used Centralise validation within domain primitives (Domain primitives gives greater control on how the application behaves e.g. an age is not an Integer unless someone lives to 2 billion years of age and also has negative age!
  8. Logging is a huge topic so will not cover it in this slide, other factors to mention: Create a central log or at least keep logs consistent Do not log everything – too much noise Use a Security Information and Event Management (SIEM)
  9. Mike Cohn = three layers 1) Unit Tests 2) Service Tests 3) UI Tests Unit Tests = happy and unhappy paths based on logic (e.g. can I order -2 billion items?) Static application tests = automated source code analysis. Scan source code for potential bad security practice (e.g. SQLi, XSS, unencrypted passwords etc). Lots of false positives if not configured correctly. Integration Security tests = automated dynamic code analysis. Validates that integrated services are secure using fuzz testing. Grey testing Pen testing = full black box testing. Usually carried out by skill penetration testers. Look for all sorts of issues. Traditional testing for many projects and carried out at end of SDLC
  10. Build security into the unit testing tools
  11. SAST = Static Application Security Testing
  12. Pen testing can come too late in the SDLC for developers
  13. Alternative quote = “A chain is only as long as its weakest link”
  14. Dependencies probably make up between 80% and 90% of your code base CVE = Common Vulnerability Enumeration
  15. You are under attack… constantly. Arm yourself with knowledge
  16. OWASP - Open Web Application Security Project Top 10 Security vulnerabilities (https://owasp.org/www-project-top-ten/) SANS - SANS is the most trusted and by far the largest source for information security training in the world Top 25 Most dangerous coding error (https://www.sans.org/top25-software-errors/) Centre for Internet Security (CIS) CIS Benchmarks for a raft of different technologies (https://www.cisecurity.org/cis-benchmarks/) National Cyber Security Centre (https://www.ncsc.gov.uk/collection/developers-collection) UK NIST – National Institute of Standards and Technology USA Cybersecurity resources (https://www.nist.gov/topics/cybersecurity) Mozilla Web Security page (https://infosec.mozilla.org/guidelines/web_security)