This deck goes through challenges with software security today, how we got to this position and best ways of addressing these challenges through the lens of 'positive security'.
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
This document discusses SoftServe's approach to application security testing. It outlines typical security processes, reports, and issues found. It then proposes an integrated security process using both static code analysis and dynamic testing. This would involve deploying applications through a CI pipeline to security tools to identify vulnerabilities early in development cycles. The benefits are presented as reduced remediation costs, improved knowledge, and full technology coverage through internal testing versus third parties.
The document discusses security as an important metric for businesses, products, and development lifecycles. It summarizes an upcoming security meetup in Lviv, Ukraine on November 14, 2015 focused on topics like securing web and mobile applications, hacking REST and JavaScript apps, investigations, reverse engineering, social engineering, and physical hacking. The meetup will include hands-on labs, collaboration, competitions, and talks from elite hackers and industry experts.
The document discusses security in software development. It outlines the typical software development life cycle of requirements, design, code, test, and deployment phases. For each phase, it notes that security is usually an afterthought rather than being integrated into the process from the beginning. It encourages improving security perceptions, work, and practices at each stage of development. The presenter is Renato Rodrigues, who wants to continue the security conversation on social media.
This document summarizes an OWASP Top-10 Hands-on Workshop. It introduces OWASP as a non-profit organization focused on web application security. It then outlines the top 10 vulnerabilities according to OWASP: injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and validation of redirects and forwards. The document proceeds to demonstrate these vulnerabilities on a sample web application and provides rules and guidelines for the hands-on portion of the workshop.
This document discusses manual code review. It begins by introducing the author and their background and interests in security. It then asks why code review is important, noting that finding bugs early is cheaper and code review allows different visibility into code than other methods. Both automated and manual code review are discussed, saying they should be used complementarily. Manual review provides a 10,000 foot view by understanding the application and security controls. Specific vulnerabilities are then looked for. The document ends by stating manual code review can be done in 60 seconds by understanding the application, reviewing a security control, and looking for specific vulnerabilities.
The path of secure software by Katy AntonDevSecCon
This document discusses 10 controls (C1 through C10) for developing secure software. Each control is described in 1-2 pages and addresses how it mitigates many of the top 10 risks from the OWASP list, including injection, XSS, sensitive data exposure, access control issues, and more. Specific techniques are provided, such as query parameterization to prevent SQL injection, output encoding to prevent XSS, validating all input, secure authentication and authorization practices, encrypting data, and centralized error handling.
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
This document discusses SoftServe's approach to application security testing. It outlines typical security processes, reports, and issues found. It then proposes an integrated security process using both static code analysis and dynamic testing. This would involve deploying applications through a CI pipeline to security tools to identify vulnerabilities early in development cycles. The benefits are presented as reduced remediation costs, improved knowledge, and full technology coverage through internal testing versus third parties.
The document discusses security as an important metric for businesses, products, and development lifecycles. It summarizes an upcoming security meetup in Lviv, Ukraine on November 14, 2015 focused on topics like securing web and mobile applications, hacking REST and JavaScript apps, investigations, reverse engineering, social engineering, and physical hacking. The meetup will include hands-on labs, collaboration, competitions, and talks from elite hackers and industry experts.
The document discusses security in software development. It outlines the typical software development life cycle of requirements, design, code, test, and deployment phases. For each phase, it notes that security is usually an afterthought rather than being integrated into the process from the beginning. It encourages improving security perceptions, work, and practices at each stage of development. The presenter is Renato Rodrigues, who wants to continue the security conversation on social media.
This document summarizes an OWASP Top-10 Hands-on Workshop. It introduces OWASP as a non-profit organization focused on web application security. It then outlines the top 10 vulnerabilities according to OWASP: injection, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using components with known vulnerabilities, and validation of redirects and forwards. The document proceeds to demonstrate these vulnerabilities on a sample web application and provides rules and guidelines for the hands-on portion of the workshop.
This document discusses manual code review. It begins by introducing the author and their background and interests in security. It then asks why code review is important, noting that finding bugs early is cheaper and code review allows different visibility into code than other methods. Both automated and manual code review are discussed, saying they should be used complementarily. Manual review provides a 10,000 foot view by understanding the application and security controls. Specific vulnerabilities are then looked for. The document ends by stating manual code review can be done in 60 seconds by understanding the application, reviewing a security control, and looking for specific vulnerabilities.
The path of secure software by Katy AntonDevSecCon
This document discusses 10 controls (C1 through C10) for developing secure software. Each control is described in 1-2 pages and addresses how it mitigates many of the top 10 risks from the OWASP list, including injection, XSS, sensitive data exposure, access control issues, and more. Specific techniques are provided, such as query parameterization to prevent SQL injection, output encoding to prevent XSS, validating all input, secure authentication and authorization practices, encrypting data, and centralized error handling.
The document summarizes Suman Sourav's presentation on application security at the OWASP Indonesia Day 2017 conference. It discusses DevSecOps which aims to shift security left in the SDLC by integrating security practices and tools into development. It also outlines people, processes, and technologies needed for a DevSecOps approach, including training developers, defining security metrics and roadmaps, and using tools that automate security testing throughout the development cycle.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
This document discusses using "evil user stories" to improve application security. Evil user stories describe how attackers might compromise systems or abuse features from a malicious perspective. They can help security teams think like attackers and identify threats early. The document provides examples of evil user stories and corresponding mitigations that could be used to refine security testing and prevent vulnerabilities.
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
Slides from our talk @Devoxx MA 2018.
We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Are Agile And Secure Development Mutually Exclusive?Source Conference
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
[OWASP Poland Day] Security in developer's lifeOWASP
This document discusses how to integrate security practices into the developer life cycle from the initial interview through onboarding and ongoing development. It recommends assessing security knowledge in interviews, providing security guides and resources for new developers, measuring reading of guides through quizzes, and using metrics to improve security processes over time. The goal is to make developers aware of security best practices from their first days of work and involve them in an ongoing security culture.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
The document discusses what software developers and testers should know about software security. It emphasizes the importance of threat modeling to understand potential threats, creating security requirements, and including security testing in the development process. It provides examples of security best practices like checking for vulnerabilities, conducting code reviews, and penetration testing applications to find issues before attackers. The goal is to integrate security practices into development rather than as an afterthought.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
The document discusses improving security, compliance, and risk management through a DevSecOps approach. It outlines steps such as mapping compliance controls to infrastructure components, categorizing risks, describing controls and mitigations, testing controls, and communicating controls to stakeholders. Automating compliance checks and integrating security practices into development workflows are presented as ways to improve security, compliance, and speed of delivery simultaneously.
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
Pishu Mahtani discusses adversarial modeling as a technique for driving secure application development. Adversarial modeling involves thinking like malicious attackers to understand how applications could be compromised. It recommends identifying assets, threats, and developing misuse cases to analyze how attackers may interact with systems. The presentation provides an example of applying these concepts to an electronic procurement application, identifying actors, workflows, vulnerabilities, and potential misuse cases for different attacker types. The goal is to help developers adopt an adversarial mindset early in the development process to build more robust defenses against real-world threats.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
This document discusses secure programming practices, including incorporating security into the software development lifecycle, common vulnerabilities like buffer overflows and integer overflows, and secure coding guidelines for languages like Java and C++. It emphasizes practices like input validation, error handling, and using the latest compilers. It also covers the High Integrity C++ framework for developing safety-critical applications.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
The document summarizes Suman Sourav's presentation on application security at the OWASP Indonesia Day 2017 conference. It discusses DevSecOps which aims to shift security left in the SDLC by integrating security practices and tools into development. It also outlines people, processes, and technologies needed for a DevSecOps approach, including training developers, defining security metrics and roadmaps, and using tools that automate security testing throughout the development cycle.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
This document discusses using "evil user stories" to improve application security. Evil user stories describe how attackers might compromise systems or abuse features from a malicious perspective. They can help security teams think like attackers and identify threats early. The document provides examples of evil user stories and corresponding mitigations that could be used to refine security testing and prevent vulnerabilities.
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
Slides from our talk @Devoxx MA 2018.
We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
Published on Nov 26, 2013
AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
Watch this talk on YouTube: https://www.youtube.com/watch?v=cIvOth0fxmI
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today's best software assurance techniques *can't*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we're making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It's not just security tools -- application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.
Speaker
Jeff Williams
CEO, Aspect Security
Jeff is a founder and CEO of Aspect Security and recently launched Contrast Security, a new approach to application security analysis. Jeff was an OWASP Founder and served as Global Chairman from 2004 to 2012, contributing many projects including the OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff is passionate about making it possible for anyone to do their own continuous application security in real time.
Are Agile And Secure Development Mutually Exclusive?Source Conference
The document discusses agile and secure software development. It provides an overview of traditional waterfall and agile project methods. Agile practices like working in short cycles, customer collaboration, and responding to change are highlighted. The roles of project managers, quality assurance teams, and security practices within agile development are also examined. Finally, the document questions whether agile and secure development can be mutually exclusive.
[OWASP Poland Day] Security in developer's lifeOWASP
This document discusses how to integrate security practices into the developer life cycle from the initial interview through onboarding and ongoing development. It recommends assessing security knowledge in interviews, providing security guides and resources for new developers, measuring reading of guides through quizzes, and using metrics to improve security processes over time. The goal is to make developers aware of security best practices from their first days of work and involve them in an ongoing security culture.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
The document provides guidance on implementing simple yet effective security defenses to thwart cyber attacks. It recommends building security programs with key components like policies, baselines, risk acceptance models and checklists for application security reviews. Specific defenses include user awareness training, least privileged access, patching, network segmentation, input validation, logging and encryption. The document argues that with the right foundations, organizations do not need large budgets for security and can prevent common hacking techniques.
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
The document discusses what software developers and testers should know about software security. It emphasizes the importance of threat modeling to understand potential threats, creating security requirements, and including security testing in the development process. It provides examples of security best practices like checking for vulnerabilities, conducting code reviews, and penetration testing applications to find issues before attackers. The goal is to integrate security practices into development rather than as an afterthought.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
The document discusses improving security, compliance, and risk management through a DevSecOps approach. It outlines steps such as mapping compliance controls to infrastructure components, categorizing risks, describing controls and mitigations, testing controls, and communicating controls to stakeholders. Automating compliance checks and integrating security practices into development workflows are presented as ways to improve security, compliance, and speed of delivery simultaneously.
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
Pishu Mahtani discusses adversarial modeling as a technique for driving secure application development. Adversarial modeling involves thinking like malicious attackers to understand how applications could be compromised. It recommends identifying assets, threats, and developing misuse cases to analyze how attackers may interact with systems. The presentation provides an example of applying these concepts to an electronic procurement application, identifying actors, workflows, vulnerabilities, and potential misuse cases for different attacker types. The goal is to help developers adopt an adversarial mindset early in the development process to build more robust defenses against real-world threats.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
This document discusses secure programming practices, including incorporating security into the software development lifecycle, common vulnerabilities like buffer overflows and integer overflows, and secure coding guidelines for languages like Java and C++. It emphasizes practices like input validation, error handling, and using the latest compilers. It also covers the High Integrity C++ framework for developing safety-critical applications.
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
http://www.ddifrontline.com
Digital Defense Inc (DDI) and Veracode present the "Crafting Super-Powered Risk Assessments" webinar and slides. The presentation covers security assessments, application security, and how to manage risk.
Integrating security into Continuous DeliveryTom Stiehm
This document discusses integrating security practices into continuous delivery processes. It describes Coveros' SecureAgile development process which includes threat modeling, risk analysis, penetration testing, security stories, secure code reviews, defensive coding and design, and secure testing. The goal is to assure timely delivery of software while achieving security objectives. Integrating security helps make applications more secure, reduces security costs, improves quality, and protects applications from attackers.
DevSecOps is a cultural change that incorporates security practices into software development through people, processes, and technologies. It aims to address security without slowing delivery by establishing secure-by-design approaches, automating security tools and processes, and promoting collaboration between developers, security engineers, and operations teams. As software and connected devices continue proliferating, application security must be a central focus of the development lifecycle through a DevSecOps methodology.
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
- Stefan Streichsbier is the CEO of GuardRails and a professional white-hat hacker who has identified severe shortcomings in security processes and technologies, leading him to create GuardRails.
- The document discusses the evolution of DevOps and increasing complexity, the state of security and how it needs to fit within modern development workflows, and introduces the concept of DevSecOps to address shortcomings and better integrate security.
- Key aspects of DevSecOps discussed include how to create, test, and monitor secure applications and empower development teams to build security in from the start rather than see it as a separate function. Automated security tools and the need to reduce noise and improve usability for developers is also
Steering a Bullet Train: Owasp Latam Tour BA 2015skantos
IT companies that do heavy software development have been shifting their paradigm from a traditional monolithic waterfall development lifecycle to a fully heterogeneous 24/7 devops culture. This implies more software deployment and more code developed. The traditional security approach, besides not being enough, is clearly outdated and non-applicable. This talk will tell how MercadoLibre evolved to a DevOps company, how information security was perceived and tackled then and now, what challenges we faced, what we made to drive change to a 15 years old company’s mindset, and how we are transforming into a SecDevOps culture and the way we envision that culture of work.
The document discusses product security and how it relates to application security, infrastructure security, and security operations for a specific product or system. It argues that applying DevOps methodologies to traditional application security practices can help make security part of everyday work for developers and operations teams. This will help change an organization's security culture to focus on designing security into products from the start.
"How to Get Started with DevSecOps," presented by CYBRIC VP of Engineering Andrei Bezdedeanu at IT/Dev Connections 2018. Collaboration between development and security teams is key to DevSecOps transformation and involves both cultural and technological shifts. The challenges associated with adoption can be addressed by empowering developers with the appropriate security tools and processes, automation and orchestration. This presentation outlines enabling this transformation and the resulting benefits, including the delivery of more secure applications, lower cost of managing your security posture and full visibility into application and enterprise risks. www.cybric.io
This document discusses building application security teams. It begins by introducing the author and their background in application security. It then discusses creating an environment where security enables business goals rather than hinders them. It suggests embedding security into culture by focusing on quality, testing, and engineering. It discusses the importance of application security policies being customized and delivered effectively. It emphasizes the need for application security activities like threat modeling and code reviews to avoid relying on "security pixie dust". It argues that even non-software companies should view themselves as software companies due to their reliance on code. Finally, it discusses building application security teams internally by training and educating developers rather than exclusively hiring specialists.
This document summarizes best practices for building an application security program at a startup. It recommends getting organizational buy-in, building a security team by networking and attending events, and shifting security left by training developers. It also discusses implementing threat modeling, carefully vetting security vendors, embedding security engineers with developer teams, and continuing to improve processes over time. The overall message is that security is a collaborative effort involving the whole company.
This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle. The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.
Mike Spaulding - Building an Application Security Programcentralohioissa
Application Security in many organizations is a simply a 'wish list' item, but with some staff and some training, AppSec can be a reality, even for a small organization. This talk will discuss the best practices, strategies and tactics, and resource planning to build an internal AppSec function - enterprise to 'mom & pop' operations will all benefit from this talk.
This document provides guidance on building an application security program. It discusses common application security threats and vulnerabilities. The goal of application security is to reduce application risks. Methods include static code analysis, dynamic testing, and manual verification at different stages of the software development lifecycle. The document recommends starting simple, setting policies and standards, scaling application security as development scales, and verifying third party applications. It emphasizes the importance of continuous improvement, metrics, and alignment with development processes.
Make sure you’re defending against the most common web security issues and attacks with this useful overview of software development best-practices. We'll go over the most common attacks against web applications and present real world advice for defending yourself against these types of attacks.
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
How to effectively plan and use people, process and technology controls within Information Security to influence Culture during a Digital Transformation
VSEC’s source code review services help uncover unexpected and hidden vulnerabilities and design flaws in source codes. We use a mix of scanning tools and manual review to detect insecure coding practices, injection flaws, cross site scripting flaws, backdoors, weak cryptography, insecure handling of external resources, etc.
Similar to Why 'positive security' is a software security game changer (20)
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2. Working or saving lives?
> Work for
We empower developers to write secure code
> Developer >> Pentester >> Developer
> Help organisations build kick-ass
training awareness programs
3. Agenda
• Today’s challenges with software security
• How did we end up here?
• Shift Left Start Left – How to scale and make an impact as appsec
• Build a positive security culture
5. Software engineers around the world ~ Evans Data
22M
Source: https://evansdata.com/reports/viewRelease.php?reportID=9
6. Lines of code written by developers
every year ~ CSO Online
111BN
Source: https://www.csoonline.com/article/3151003/application-development/world-will-need-to-secure-111-billion-lines-of-new-software-code-in-2017.html
8. Security incidents result from defects in the design
or code of software ~ DHS
90%
Source: https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
9. Of data breaches caused by software vulnerability ~
Verizon
21%
Source: Verizon, Data Breach Report, 2018 (but in there the last 10 years)
10. of newly scanned applications had SQL injections
over the past 5 yrs ~ Cisco
1 in 3
Source: Cybersecurity as a Growth Advantage, Cisco, 2016
13. AppSec in 2000
Corporates had a branding website, the
Internet was mostly for geeks
> AppSec was virtually non-existent in corporate world
> Hacking was focussed on exploiting infrastructure
vulnerabilities (bof, race conditions, fmt str*)
> Research on first web app weaknesses
> OWASP started and Top 10 released!
> Penetration testing was black magic
14. We’ve got bigger problems (Y2K) than worrying
about Application Security
15. AppSec in 2010
Companies started offering web-based services;
Web 2.0 and Mobile are new
> Penetration testing was THE thing
> Web Application Firewalls will stop everything
> Paper-based secure coding guidelines
> Static Code Analysis Tools (SAST) emerge
19. BUILDERS
Know their code
Do not speak
“security”
BREAKERS
Always pointing out
problems
Not developers
SQL Injections
XSS
Object
Deserialization
IDOR
Constructors
JAVA Spring
SWIFT
Angular.JS
vs
27. > SHIFT START left
Scale and Make an Impact for AppSec
28. SHIFT START left
Solution – Better Pen-Testing
> Bobby’; DROP TABLE pentesting_attitude;
> Provide a FIX more than input_validation();
> Create a JIRA ticket with advise/fix
> Create a pull request (wishful thinking)
> Lessons Learned to dev teams to distribute
knowledge
Less finding problems, more security engineering
31. 200
Secure Coding Guidelines
1. Ensure application logging (Where, What, When, Who, Why)
2. Use context encoding on untrusted user input
Project X - Secure Coding rules for
<insert your favourite coding framework>
1. Use SecureLogger log_object;
2. Don’t use GetParameter(), Use LibSafe_GetParam()
Solution – Distribute Knowledge
32. Secure Coding Guidelines
1. Ensure application logging (Where, What, When, Who, Why)
2. Use context encoding on untrusted user input
Project X - Secure Coding rules for
<insert your favourite coding framework>
1. Use SecureLogger log_object;
2. Don’t use GetParameter(), Use LibSafe_GetParam()
Upon Commit
1. Your code violates security rules: You shall not pass!
2. Your code violates security rules: Fill in your get out of jail card
(JIRA ticket)
3. Points++ for delivering secure code
Solution – Distribute Knowledge
200
33. Application Security
1
Developer fixes issue
● Use TLS() for any sensitive data
Security Vulnerabilities
● Sensitive data not
transported securely
Solution – Learn from Mistakes
34. Developer fixes issue
● Use TLS() for any sensitive data
Security Vulnerabilities
● Sensitive data not transported securely
Project X - Secure Coding rules for
<insert your favourite coding framework>
1. Use SecureLogger log_object;
2. Don’t use GetParameter(), Use LibSafe_GetParam()
3. Use TLS() for any sensitive data
200
Solution – Learn from Mistakes
35. > Build a positive
security culture
Break down “us” vs “them” culture
36. Positive
Security Culture
Create a fun culture
> People remember a memorable brand
> Make it fun and geeky!
> AppSec are not marketing experts, get help from
Security Awareness and Comms teams
39. Positive
Security Culture
Build a community of Security
Champions
> Special interest group for those interested in AppSec
and cyber security
> Self-drives the culture from within Engineering with
support and collaboration from AppSec
> Fun events and competitions – write your best
phishing email, lock picking, hack internal applications
> Work on initiatives that improve the security posture
of applications such as security libraries, mentoring
peers and liaising with AppSec
40. Security Champions
Jane Doe John Smith
> Interested in AppSec
> Great grasp of security concepts
> coding_skills++ - best coder in the team
> Well respected by peers
> Not part of other communities
Works with AppSec doing security
engineering
> Interested in AppSec
> Good grasp of security concepts
> Good coding skills
> Well liked by peers
> Part of internal communities
Helps spread the word and drive behaviour
change
41. Positive
Security Culture
Reward good behaviour
> Peer and executive recognition
> Speeding pass - prove security awareness, introduce
security pipelining and skip manual security checks
> Internal bug bounty program - reward developers for
finding security bugs you would pay pen-tester for
42. Positive
Security Culture
Remember – it’s not easy!
> Crawl…walk…RUN
> Visible management buy-in
> Harder to change mindset of existing employees,
easier to introduce to new starters
43. Secure Developers Are Superheroes
Takeaways:
● Software security is a big concern in today’s software landscape
● Demand better outcomes in security testing
● Distribute knowledge to scale AppSec
● Focus on positive outcomes, what to do vs what not to do
● Build a positive security culture
Editor's Notes
Intro
Why I am presenting this topic
We went from 16M in 2014 to 22M today and 26M tomorrow.
How many of those software “engineers” have been told about the dangers in their job? Developers learn about security by making mistakes and “on the job”
How many civil engineers know that if you’re building a house, the safety and security of the construction is important?
The whole world runs on software. Its not only the banks, but cars (Tesla, BMW, etc), oil rigs, airplanes, stock exchanges and soon, your mum’s water kettle will be running some form of Linux with a crappy PHP interface to remotely manage the water kettle.
Roughly 2 million exploitable security bugs written every year
The interesting part about Verizon data breach report is that AppSec has been mentioned in there since 2010 as one of the biggest causes of data breaches. We must be doing something wrong.
We have known about SQL injection for 20 years, still making the same mistakes
Speak about Twitter and what just happened.
> AppSec Virtually nonexistent. Nobody cared
> Exploits techniques very simple (BoF, Race conditions, etc).
> Security was solved by infrastructure technology and perimeter security.
> First major focus of hackers on WebApp & Database Vulnerabilities (e.g. SQLi & XSS)
Let’s look at WHY this is happening
SAST, 10 year old technology, usually run when code has been written already
RASP, an agent you install in production that tries to analyse data flows and stop the attack. Even if you’re code is bad, they claim they can stop everything.
DAST, tools you can run on a QA version of your software. Tries to blindly poke holes in what it can access and determine whether its a problem
BugBounties, let’s take pentesting but multiply it with 1000 resources. Surely one of them will find something usefull
Results of your test highly depend on the skills of who you hire. The customer, usually has no clue which skills are required to perform a proper test.
The pentester, usually does not have all the skills
Tell story about our platform being tested by 2 firms with credible reputation (CREST, etc). They found some small stuff (outdated library stuff) but nothing major. Two weeks later, one of our own staff (not certified) found a law in our assessment engine which would allow anyone to pass an exam.
Customers don’t understand the criteria required to select a good security tester, usually pick on a combination of price+reputation. The price pressure results into good companies to be competitive, they down scope it, not enough time to go in depth and to understand the business behind the application. They focus on getting low hanging fruits into a paper document.
The business wants to go all hands agile and to 10 code-drops per day
You’re on your own. Trying to prioritise what’s important and what can be skipped
That’s usually what happens with you if you work too long in AppSec. You bleed :)
No budget
Even if you found budget, not enough people in infosec
Security experts don’t know the code – hard time scaling
New technology/hotness – cannot keep up
There are so many tools, for so many stacks, for so many problems.
GuardRails for Github commits
RASP - Imperva bought Prevoty (WAFng, WAF++)
Exciting RIPsTech -> automatic code patch generation in specific framework
Veracode -> analyse path of execution and advise where to patch
According to the NIST (National Institute of Standards and Technology, US Dept. of Commerce), there are 125 frequent occurring vulnerabilities.
Each developer of the team can not master how to tackle all these vulnerabilities (think juniors).
Developers work on different bits of the code so security knowledge and best practices need to be shared (hard as class room style training and wiki’s aren’t effective, , time consuming, not a priority).
New developers join and need to be trained on best practices, developers leave (is their knowledge preserved?).
Once a vulnerability is fixed, the ‘how it was fixed’ isn’t typically shared or if shared it is done in wiki’s, confluence etc.
Big chance vulnerability will be reintroduced: again research on how to fix or even worse a different fix (new library f.e.).
All the above cause security bugs to be present and hard to eradicate.
We as an industry need to stp focussing on negatives
Old standard – gatekeepers, say no
Don’t tell them what NOT to do, provide guidance on what todo. Make sure secure foundations can be built
Create a memorable brand so people remember.
I am from Appsec so I know we are not branding experts. Leverage security awareness teams, they are great at internal marketing.
Forget to tell people why they should care
Need a teachable moment – failed project delivery, worse breach (better if its your competitor)
Talk about how long it takes to fix a bug for a developer, unknowns for project delivery, competitors taking the lead to business folks
Home on internal social media – news reports, lessons learnt, fun events
Takes a while to create a vibrant community
Everyone needs to be security aware but not everyone needs to be an expert.
Identify those interested in security and help them gain deeper knowledge. Not a hacking expert, still focussed on secure coding
Reward for being a champion! Send them to conferences, pay for more training, help make decisions on tooling
Currently negative experience for developers when they find bugs
- Increase work for themselves or their peers, not a positive experience
Currently negative experience for developers when they find bugs
- Increase work for themselves or their peers, not a positive experience