SlideShare a Scribd company logo

What Every Developer And Tester Should Know About Software Security

A
Anne Oikarinen

The document discusses what software developers and testers should know about software security. It emphasizes the importance of threat modeling to understand potential threats, creating security requirements, and including security testing in the development process. It provides examples of security best practices like checking for vulnerabilities, conducting code reviews, and penetration testing applications to find issues before attackers. The goal is to integrate security practices into development rather than as an afterthought.

1 of 38
Download to read offline
What Every Developer And Tester Should Know About Software Security Anne Oikarinen @Anne_Oikarinen Senior Security Consultant Nixu Corporation
whoami → Interested in computers, astronomy, physics, how stuff works → studied infosec & telecommunications → software testing → network security testing / test management / training instructor / network design / software development → incident response & security awareness → hacker / guiding dev teams how to build security in Anne Oikarinen Now Senior Security Consultant @ Nixu Corporation, Finland M.Sc. (Tech), CISSP, GMOB Twitter: @Anne_Oikarinen My weird path to #infosec
Why do we need software security?
Why do we need software security?
Building security in Threat modeling Incident response Penetration testing Security requirements Where people usually focus on What you should start with
Building security in Automated code review Anomaly detection Checking known vulnerabilities Dynamic testing Automated error-free deployment Performance testing Open source license compatibility Threat modeling Deep code review Finding logic flaws Incident response Penetration testing Fuzzing Automated security tests Security requirements Where people usually focus on What you should start with
Security audit does not look like this. Security people don’t want to embarrass you or annoy you. They want to find vulnerabilities before evil people do.
Security requirements Security testing Threat modeling Key elements of secure software Assets to protect Evil user stories Attack surface Security standards
Security requirements Security testing Threat modeling Security requirements Assets to protect Evil user stories Attack surface Security standardsHow to create and select requirements that are useful to you
”How can you protect something if you don’t know it exist or its value?”
Evil user stories An attacker should not be able to purchase items without paying An attacker should not be able to hack the site using known vulnerabilities A user should not be able to see another user’s personal information A user should not be able to send spam on the contact form Many simultaneous users should not be able to crash the website The admin should not be able to accidentally shut down the server An attacker should not be able to…
Put evil user stories to backlog Evil user story • A user should not be able to send spam on the contact form Investigate mitigations • Captcha • Rate limiting • Input validation Backlog item • Acceptance criteria: • Rate limiting • Input validation • Security testing Mitigations as acceptance criteria
Don’t reinvent the wheel
Security standards and best practices Web applications • OWASP Application Security Verification Standard (ASVS) • OWASP top 10 Mobile applications • OWASP Mobile Application Security Verification Standard (MASVS) Internet of Things • OWASP top 10 for IoT • Code of practice for consumer IoT security (UK Gov) Something else? • Cherry-pick relevant parts from ASVS Use existing material to select security requirements
Security requirements Security testing Threat modeling Threat modeling Assets to protect Evil user stories Attack surface Security standardsWhat could go wrong? What can we do about it?
Finding weaknesses in the design phase Targeting pentesting based on risk Testing does not find all weaknesses Benefits of threat modeling
What threats are relevant to our business? Scriptkiddie • DDoS for the lulz • Mitigation: Load balancer CyberCriminal • Ransomware target search from Shodan • Mitigation: Updates RPAmisconfig • Configuration errors and mistakes • Mitigation: Automatic testing
Threat workshop • Threat modeling • Attack surfaceSprint 1 Sprint 2 • Check threat model • Residual riskSprint n Who, when, and what? Bugs Test cases Backlog Documents Testers Developers Product Owner Infosec Specialist
Attack tree visualizes threat scenarios Vulnerability in server components Web site delivers malware Web server compromised Drop in share price Loss of reputation Password guessed User information gets stolen
Threat modeling techniques How to find threats from the features and architecture
Analyzing use cases and user stories 9.2.201922 Dangerous or permissive features • Viewing all users • Uploading files • Viewing health records Admin interfaces • Modifying users • Deleting all files • Starting and stopping services Dangerous combinations of user roles • Can both request and approve Who can access? Access control bypass? Need for multi- factor authentication? Traceability?
STRIDE model for architecture and data flow analysis (S) Spoofing (T) Tampering (R) Repudiation (I) Information Disclosure (D) Denial of Service (E) Elevation of Privilege Database Web server Browser Mobile app DB management Log management Log server
Interesting Feature Archi- tecture Data Flow Analysis
User buys a book from an online book store Database Web server Browser DB management Log server • Is the user authenticated? • Can you spoof someone else? • Can you bypass access control? • Is the traffic encrypted? • Can you try to inject evil stuff? • Can you buy a book without actually paying? • DoS or DDoS? • Is there mutual authentication between servers? • Can you get a listing of which books everyone bought? • Can you inject evil stuff? • What if DB connection is lost? • Can an evil shopkeeper tamper with the database and modify the delivery address? • Does it leave a log entry? Log management • Do the operations of users/admins leave a log entry? • Do logs contain personally identifiable data? • Does someone monitor the logs?
Identifying attack surface Database Web server Browser Mobile app DB management Log management Log server API server Logistics company delivery appUser interfaces Integrations to other systems APIs
Threats in development and operations
Threat modeling a software development process Package sources and integrity? Detecting and updating known vulnerabilities? Detecting code quality issues? Storing credentials securely? Securing access to source code and CI? Testing environments and test data? Security testing Manual steps in deployment? Following procedure ALWAYS? Logging and monitoring?
Privacy threats 101
Check at least these things about privacy Logs Personal data in logs? Who has access to the logs? Tracking access to personal data? Test data Copy from production? Level of test environment’s security? Who has access? Scrambled data Can it be reversed? Ask a privacy expert if unsure
Finding weaknesses in the design phase Targeting pentesting based on risk Testing does not find all weaknesses Benefits of threat modeling
NOW WHAT?
Do your own security testing Security requirements Security testing Threat modeling Assets to protect Evil user stories Attack surface Security standards
The attacker won’t bother picking locks if they can climb over the fence. Pick the low-hanging fruit Don’t overlook low-level security findings
You can improve security, too! Dependency tracking • Known vulnerabilities in open source libraries • Open source alternative: OWASP Dependency check • Commercial tools can detect incompatible licenses Code quality checks • Detecting security bugs from source code • Open source alternative: OWASP SonarQube • Note: Does not replace security-oriented code review! Scan your repositories
You can improve security, too! Application testing • OWASP ZAP: scanning web application vulnerabilities, can be automated • Burp Suite (Community Edition, Professional, Enterprise): hacker’s choice manual security testing, Enterprise has CI integration • SQL injection testing with sqlmap Network level testing • Lack of security headers, insecure TLS settings – testssl.sh • Open ports, network segmentation – nmap Test your applications and automate
Security in every step Automated code review Anomaly detection Checking known vulnerabilities Dynamic testing Automated error-free deployment Performance testing Open source license compatibility Threat modeling Deep code review Finding logic flaws Incident response Penetration testing Fuzzing Automated security tests Security requirements
Anne Oikarinen Senior Security Consultant anne.oikarinen@nixu.com @Anne_Oikarinen @nixutigerteam nixu.com

Recommended

Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security TestingMohamed Ridha CHEBBI, CISSP
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 

Recommended

Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security TestingMohamed Ridha CHEBBI, CISSP
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 

More Related Content

What's hot

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
Nazar Tymoshyk, CEH, Ph.D.
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 

What's hot (20)

Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Security testing
Security testingSecurity testing
Security testing
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 

Similar to What Every Developer And Tester Should Know About Software Security

Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Amazon Web Services
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
osandadeshan
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 

Similar to What Every Developer And Tester Should Know About Software Security (20)

Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Enterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and complianceEnterprise under attack dealing with security threats and compliance
Enterprise under attack dealing with security threats and compliance
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 

Recently uploaded

Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 

Recently uploaded (20)

Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 

What Every Developer And Tester Should Know About Software Security

  • 1. What Every Developer And Tester Should Know About Software Security Anne Oikarinen @Anne_Oikarinen Senior Security Consultant Nixu Corporation
  • 2. whoami → Interested in computers, astronomy, physics, how stuff works → studied infosec & telecommunications → software testing → network security testing / test management / training instructor / network design / software development → incident response & security awareness → hacker / guiding dev teams how to build security in Anne Oikarinen Now Senior Security Consultant @ Nixu Corporation, Finland M.Sc. (Tech), CISSP, GMOB Twitter: @Anne_Oikarinen My weird path to #infosec
  • 4.
  • 5. Why do we need software security?
  • 6. Building security in Threat modeling Incident response Penetration testing Security requirements Where people usually focus on What you should start with
  • 7. Building security in Automated code review Anomaly detection Checking known vulnerabilities Dynamic testing Automated error-free deployment Performance testing Open source license compatibility Threat modeling Deep code review Finding logic flaws Incident response Penetration testing Fuzzing Automated security tests Security requirements Where people usually focus on What you should start with
  • 8. Security audit does not look like this. Security people don’t want to embarrass you or annoy you. They want to find vulnerabilities before evil people do.
  • 9. Security requirements Security testing Threat modeling Key elements of secure software Assets to protect Evil user stories Attack surface Security standards
  • 11. ”How can you protect something if you don’t know it exist or its value?”
  • 12. Evil user stories An attacker should not be able to purchase items without paying An attacker should not be able to hack the site using known vulnerabilities A user should not be able to see another user’s personal information A user should not be able to send spam on the contact form Many simultaneous users should not be able to crash the website The admin should not be able to accidentally shut down the server An attacker should not be able to…
  • 13. Put evil user stories to backlog Evil user story • A user should not be able to send spam on the contact form Investigate mitigations • Captcha • Rate limiting • Input validation Backlog item • Acceptance criteria: • Rate limiting • Input validation • Security testing Mitigations as acceptance criteria
  • 15. Security standards and best practices Web applications • OWASP Application Security Verification Standard (ASVS) • OWASP top 10 Mobile applications • OWASP Mobile Application Security Verification Standard (MASVS) Internet of Things • OWASP top 10 for IoT • Code of practice for consumer IoT security (UK Gov) Something else? • Cherry-pick relevant parts from ASVS Use existing material to select security requirements
  • 17. Finding weaknesses in the design phase Targeting pentesting based on risk Testing does not find all weaknesses Benefits of threat modeling
  • 18. What threats are relevant to our business? Scriptkiddie • DDoS for the lulz • Mitigation: Load balancer CyberCriminal • Ransomware target search from Shodan • Mitigation: Updates RPAmisconfig • Configuration errors and mistakes • Mitigation: Automatic testing
  • 19. Threat workshop • Threat modeling • Attack surfaceSprint 1 Sprint 2 • Check threat model • Residual riskSprint n Who, when, and what? Bugs Test cases Backlog Documents Testers Developers Product Owner Infosec Specialist
  • 20. Attack tree visualizes threat scenarios Vulnerability in server components Web site delivers malware Web server compromised Drop in share price Loss of reputation Password guessed User information gets stolen
  • 21. Threat modeling techniques How to find threats from the features and architecture
  • 22. Analyzing use cases and user stories 9.2.201922 Dangerous or permissive features • Viewing all users • Uploading files • Viewing health records Admin interfaces • Modifying users • Deleting all files • Starting and stopping services Dangerous combinations of user roles • Can both request and approve Who can access? Access control bypass? Need for multi- factor authentication? Traceability?
  • 23. STRIDE model for architecture and data flow analysis (S) Spoofing (T) Tampering (R) Repudiation (I) Information Disclosure (D) Denial of Service (E) Elevation of Privilege Database Web server Browser Mobile app DB management Log management Log server
  • 25. User buys a book from an online book store Database Web server Browser DB management Log server • Is the user authenticated? • Can you spoof someone else? • Can you bypass access control? • Is the traffic encrypted? • Can you try to inject evil stuff? • Can you buy a book without actually paying? • DoS or DDoS? • Is there mutual authentication between servers? • Can you get a listing of which books everyone bought? • Can you inject evil stuff? • What if DB connection is lost? • Can an evil shopkeeper tamper with the database and modify the delivery address? • Does it leave a log entry? Log management • Do the operations of users/admins leave a log entry? • Do logs contain personally identifiable data? • Does someone monitor the logs?
  • 28. Threat modeling a software development process Package sources and integrity? Detecting and updating known vulnerabilities? Detecting code quality issues? Storing credentials securely? Securing access to source code and CI? Testing environments and test data? Security testing Manual steps in deployment? Following procedure ALWAYS? Logging and monitoring?
  • 30. Check at least these things about privacy Logs Personal data in logs? Who has access to the logs? Tracking access to personal data? Test data Copy from production? Level of test environment’s security? Who has access? Scrambled data Can it be reversed? Ask a privacy expert if unsure
  • 31. Finding weaknesses in the design phase Targeting pentesting based on risk Testing does not find all weaknesses Benefits of threat modeling
  • 33. Do your own security testing Security requirements Security testing Threat modeling Assets to protect Evil user stories Attack surface Security standards
  • 34. The attacker won’t bother picking locks if they can climb over the fence. Pick the low-hanging fruit Don’t overlook low-level security findings
  • 35. You can improve security, too! Dependency tracking • Known vulnerabilities in open source libraries • Open source alternative: OWASP Dependency check • Commercial tools can detect incompatible licenses Code quality checks • Detecting security bugs from source code • Open source alternative: OWASP SonarQube • Note: Does not replace security-oriented code review! Scan your repositories
  • 36. You can improve security, too! Application testing • OWASP ZAP: scanning web application vulnerabilities, can be automated • Burp Suite (Community Edition, Professional, Enterprise): hacker’s choice manual security testing, Enterprise has CI integration • SQL injection testing with sqlmap Network level testing • Lack of security headers, insecure TLS settings – testssl.sh • Open ports, network segmentation – nmap Test your applications and automate
  • 37. Security in every step Automated code review Anomaly detection Checking known vulnerabilities Dynamic testing Automated error-free deployment Performance testing Open source license compatibility Threat modeling Deep code review Finding logic flaws Incident response Penetration testing Fuzzing Automated security tests Security requirements
  • 38. Anne Oikarinen Senior Security Consultant anne.oikarinen@nixu.com @Anne_Oikarinen @nixutigerteam nixu.com