SlideShare a Scribd company logo

Integrating security into the application development process

Download as PPTX, PDF
Jerod Brennen
Jerod Brennen
Technology
1 of 36
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
How to Write Good Code From http://xkcd.com/844/
SEEK FIRST TO UNDERSTAND
Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
SOURCE CODE SECURITY
Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
APPSEC AND SQA
The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
ANALYZING DEPLOYED APPLICATIONS
Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
OTHER CONSIDERATIONS
SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
RESOURCES
Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

Recommended

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
Aidan Finn
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
Allen Brokken
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 

Recommended

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
Aidan Finn
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
Allen Brokken
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
Udaiappa Ramachandran
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
RightScale
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
Akshay Mathur
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
Alert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
Jeroen Niesen
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
jemtallon
 

More Related Content

What's hot

CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 

What's hot (20)

Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
 
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
[RightScale Webinar] Architecting Databases in the cloud: How RightScale Doe...
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 

Viewers also liked

CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
jemtallon
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 

Viewers also liked (7)

Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
CISSP Week 13
CISSP Week 13CISSP Week 13
CISSP Week 13
 
isecure's Identity Management Training Intro
isecure's Identity Management Training Introisecure's Identity Management Training Intro
isecure's Identity Management Training Intro
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
 
Information systems development methodologies
Information systems development methodologiesInformation systems development methodologies
Information systems development methodologies
 

Similar to Integrating security into the application development process

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
Ramesh VG
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
Can Demirel
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 

Similar to Integrating security into the application development process (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 

More from Jerod Brennen

Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Jerod Brennen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
Jerod Brennen
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 

More from Jerod Brennen (14)

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLC
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the things
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Integrating security into the application development process

  • 1. Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  • 2. Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
  • 3. How to Write Good Code From http://xkcd.com/844/
  • 4. SEEK FIRST TO UNDERSTAND
  • 5. Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
  • 6. Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
  • 7. Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
  • 8. Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
  • 9. The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
  • 10. The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
  • 11. Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
  • 13. Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
  • 14. OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
  • 15. Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
  • 16. Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
  • 18. The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
  • 19. Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
  • 20. Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  • 21. SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
  • 23. Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
  • 24. Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
  • 25. Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
  • 26. Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
  • 28. SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
  • 29. SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
  • 30. Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
  • 31. Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
  • 33. Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
  • 34. More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
  • 35. Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
  • 36. Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com