SlideShare una empresa de Scribd logo

Integrating Application Security into a Software Development Process

Achim D. Brucker
Achim D. Brucker

Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.

Tecnología
1 de 34
Descargar para leer sin conexión
Dr. Achim D. Brucker 31. Januar 2013 Maßnahmen im Entwicklungsprozess zur Sicherstellung der Anwendungssicherheit Public
© 2013 SAP AG. All rights reserved. 3Public SAP Today 54,500+ SAP employees worldwide 120 countries 25 industries 37 languages 75 country offices 1,200+ services partners worldwide
© 2013 SAP AG. All rights reserved. 4Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
© 2013 SAP AG. All rights reserved. 5Public Costs of Computer Hacks Costs of Computer Hacks • TJX Company, Inc. (2007) $ 250 million • Sony (2011) $ 170 million • Heartland Payment Systems (2009) $ 41 million “A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts.” (http://financialedge.investopedia.com/financial-edge/0711/Most-Costly-Computer-Hacks-Of-All-Time.aspx)
© 2013 SAP AG. All rights reserved. 6Public Time-line of the Sony Hack(s) (excerpt): • 2011-04-20 Sony PSN goes down • 2011-05-21 Sony BMG: data of 8300 users leaked (SQL Injection) • 2011-05-23 Sony Japanese database leaked (SQL Injection) • 2011-05-24 Sony Canada: roughly 2,000 leaked (SQL Injection) • 2011-06-05 Sony Pictures Russia (SQL Injection) • 2011-06-06 Sony Portugal: SQL injection, iFrame injection and XSS • 2011-06-20 20th breach within 2 months, 177k email addresses were grabbed via a SQL injection (http://hassonybeenhackedthisweek.com/history) Has Sony been Hacked this Week? http://hassonybeenhackedthisweek.com/
© 2013 SAP AG. All rights reserved. 7Public A Bluffers Guide to SQL Injection Assume an SQL Statement for Selecting all users with user name userName from the table users. What happens if we choose the following (weird) userName: userName = "‟ or ‟1=‟1" Resulting in the following statement: statement = "SELECT * FROM „users‟ WHERE „name‟ = „’ or ’1’=’1’;" Which is equivalent to statement = "SELECT * FROM „users„;" statement="SELECT * FROM „users„ WHERE „name„ = ‟" + userName + "‟;" And selects the information about all users stored in the table users
© 2013 SAP AG. All rights reserved. 8Public Insecure Software
© 2013 SAP AG. All rights reserved. 9Public Evolution of Code
© 2013 SAP AG. All rights reserved. 10Public Security Testing
© 2013 SAP AG. All rights reserved. 11Public Dynamic Security Testing Characteristics • Black box approach • Sends input to applications and analyses response Advantages • Provides concrete examples (attacks) • Analyze dataflows across multiple components Disadvantages • Coverage unclear • Requires test system
© 2013 SAP AG. All rights reserved. 12Public Static Security Testing Characteristics • White box approach • Analyses abstraction of the source (binary) Advantages • Explores all data paths / control flows • Can analyze single modules (unit test) Disadvantages • High false positive rate (not exploitable findings) • Does not consider application environment
© 2013 SAP AG. All rights reserved. 13Public Security Code Scans at SAP: Overview Started rollout in June 2010 Centrally guided by a project team • Definition of Security Requirements • Establishment of Scan Infrastructure Support of the most important languages SAP development and third party code
© 2013 SAP AG. All rights reserved. 14Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
© 2013 SAP AG. All rights reserved. 15Public Education • The prerequisite for achieving a high security quality Security awareness • Reducing the number of “built-in” security problems Trained persons • Analyze and fix vulnerabilities much more efficiently Trainings • Secure Programming, Build & Scan, Auditing, …. First Step: Security Training
© 2013 SAP AG. All rights reserved. 16Public Secure Development Lifecycle (SDLC) at SAP Structure the investment of time and resources • to safeguard a high level of security • to ensure security standards across all areas Security requirements • are taken into account and • are implemented in all phases of product development
© 2013 SAP AG. All rights reserved. 17Public The Different Roles Developer • fixes software security issues Security Expert • review scan results, decides on fixes Build Master • scans the source code, manages results Scrum Master • requests scan, assigns vulnerabilities to developers
© 2013 SAP AG. All rights reserved. 18Public Infrastructure
© 2013 SAP AG. All rights reserved. 19Public SAP Secure Software Development Life Cycle For passing D2P Q-gate, evidence has to be provided that the source code has been scanned and exploitables have been fixed. P2D: Planning to Development. / D2P: Development to Production. / P2R: Production to Ramp-up (gradual roll-out to customers). Code Scans
© 2013 SAP AG. All rights reserved. 20Public Third Party Code Third party code • Open Source libraries and frameworks • Freeware • other third party components Different approaches • SAST analysis by SAP • Trusted (certified) vendors • Certificate from trusted third party (e.g., based on binary analysis) • SLA with vendor
© 2013 SAP AG. All rights reserved. 21Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
© 2013 SAP AG. All rights reserved. 22Public Code Scan Facts Over 2000 developers are using SAST tools Over 500 MLOC scanned Over 15000 issues removed Statistics Jan 2012 ABAP Java C,C++,C# Java and COther languages
© 2013 SAP AG. All rights reserved. 23Public Language Scan Application ABAP SAP C/C++ Coverity Others HP/Fortify Security Scan Tools used at SAP
© 2013 SAP AG. All rights reserved. 24Public Security Requirements SAP on Corporate Security Requirements • SAP Applications shall be free of backdoors • SQL injection vulnerabilities shall be avoided • Cross-Site Scripting vulnerabilities shall be prevented • Directory traversal vulnerabilities shall be prevented • The system shall be protected against buffer overflow vulnerabilities OWASP Top 10 CWE/SANS Top 25 2011 CVE
© 2013 SAP AG. All rights reserved. 25Public Continuous Improvement Collect feedback from the • Product Security Response Team • Development Teams Develop rules/models to improve the scans Continuously improve the infrastructure Continuously improve the rollout process
© 2013 SAP AG. All rights reserved. 26Public Input to Improve Code Scans BuildSource Code Normalized/ Abstract Format Analyze/Scan Analysis Results Review and Fix Security Response Team Security Messages Security Code Scan Team Rules/Models/Template/Filters Further input channels: Development teams, internal research, scan reviews, code reviews
© 2013 SAP AG. All rights reserved. 27Public Lessons Learned Scans have to be obligatory • but not introduced „brute force‟ Establish Secure Development Life Cycle • make scans a natural part of development Plan carefully • Do not start with scans right before Dev. Close • Do it regularly (nightly) • Do regression testing of new versions of the used tools • Do continuously discuss new threats with the security community Do not introduce changes during development
© 2013 SAP AG. All rights reserved. 28Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
© 2013 SAP AG. All rights reserved. 29Public Challenges
© 2013 SAP AG. All rights reserved. 30Public JavaScript I Unerstand the DOM Resulting in a DOM-based XSS attack Warning: DOM implementations are Browser specific <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring (pos,document.URL.length)); </SCRIPT> Welcome to our system Assume the following (simplified) index.html: And a call index.html?name=<script>alert(document.cookie)</script>
© 2013 SAP AG. All rights reserved. 31Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead = document.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
© 2013 SAP AG. All rights reserved. 32Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead =ndocument.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
© 2013 SAP AG. All rights reserved. 33Public JavaScript III Server-Side JavaScript var entry=JSON.parse(data); query = “insert into ”FOO(“.NAME”)””; var conn = $.db.getConnection(); conn.execute(query); Combining the complexity of both worlds:
© 2013 SAP AG. All rights reserved. 34Public Challenges: Current Trends SAST works very well for • “traditional” programming languages • Analyzing data paths within one technology Many new development uses JavaScript • HTML5 / JavaScript UIs • Server-side JavaScript JavaScript • Untyped / dynamically typed • Dynamic programming model “You cannot pay people well enough, to do proper code audits. I tried it.” Yaron Minsky, Jane Street Capital
Thank you Contact information: Dr. Achim D. Brucker Senior Researcher Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe achim.brucker@sap.com http://xkcd.com/327/

Recomendados

Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data SheetJon Lundquist
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 

Recomendados

Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data SheetJon Lundquist
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Toolsn|u - The Open Security Community
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. OW2
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOpsPawel Krawczyk
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Clustering
ClusteringClustering
ClusteringSomdeep Sen
 

Más contenido relacionado

La actualidad más candente

Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. OW2
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 

La actualidad más candente (20)

Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris.
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 

Destacado

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Modelos pedagógicos tradicional Juber Huaripata
Modelos pedagógicos tradicional Juber HuaripataModelos pedagógicos tradicional Juber Huaripata
Modelos pedagógicos tradicional Juber Huaripataadbeluz
 
Journal - National Asso. Black Accountants (NABA) Seattle Chapter
Journal - National Asso. Black Accountants (NABA) Seattle Chapter Journal - National Asso. Black Accountants (NABA) Seattle Chapter
Journal - National Asso. Black Accountants (NABA) Seattle Chapter Mack Enterprises Unlimited
 
Digital lo Cambia Todo - Una presentación siempre en evolución.
Digital lo Cambia Todo - Una presentación siempre en evolución.Digital lo Cambia Todo - Una presentación siempre en evolución.
Digital lo Cambia Todo - Una presentación siempre en evolución.Rogelio Umaña
 
Mongolian embassies and consulates
Mongolian embassies and consulatesMongolian embassies and consulates
Mongolian embassies and consulatesAldar Sambuu
 
Workshop om fremtidens salgsleder salget 2020
Workshop om fremtidens salgsleder salget 2020Workshop om fremtidens salgsleder salget 2020
Workshop om fremtidens salgsleder salget 2020Business Danmark
 
Informe de situación de la Gestión Administrativa de la Gerencia de Urbanismo
Informe de situación de la Gestión Administrativa de la Gerencia de UrbanismoInforme de situación de la Gestión Administrativa de la Gerencia de Urbanismo
Informe de situación de la Gestión Administrativa de la Gerencia de UrbanismoAyuntamiento de Zaragoza
 
HoLT Presentation - ALA 2013
HoLT Presentation - ALA 2013HoLT Presentation - ALA 2013
HoLT Presentation - ALA 2013Rob Nunez
 
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporanea
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporaneaCrisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporanea
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporaneaEscuela Estafatal de Mosos
 
Proceedings deutscher tropentag 2003
Proceedings deutscher tropentag 2003Proceedings deutscher tropentag 2003
Proceedings deutscher tropentag 2003Dickdick Maulana
 
topigs balanced breeding presentation vietnam
topigs balanced breeding presentation vietnamtopigs balanced breeding presentation vietnam
topigs balanced breeding presentation vietnamNguyen Quoc Trung
 
Los candidatos presidenciales desde la mirada de las marcas
Los candidatos presidenciales desde la mirada de las marcasLos candidatos presidenciales desde la mirada de las marcas
Los candidatos presidenciales desde la mirada de las marcasAlmabrands
 
Virtualizacion de Clusters para prevencion de DDoS
Virtualizacion de Clusters para prevencion de DDoSVirtualizacion de Clusters para prevencion de DDoS
Virtualizacion de Clusters para prevencion de DDoSRaul Robles
 

Destacado (20)

New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Clustering
ClusteringClustering
Clustering
 
Modelos pedagógicos tradicional Juber Huaripata
Modelos pedagógicos tradicional Juber HuaripataModelos pedagógicos tradicional Juber Huaripata
Modelos pedagógicos tradicional Juber Huaripata
 
28 part 3-aab e kaosar 3rd file
28 part 3-aab e kaosar 3rd file28 part 3-aab e kaosar 3rd file
28 part 3-aab e kaosar 3rd file
 
Journal - National Asso. Black Accountants (NABA) Seattle Chapter
Journal - National Asso. Black Accountants (NABA) Seattle Chapter Journal - National Asso. Black Accountants (NABA) Seattle Chapter
Journal - National Asso. Black Accountants (NABA) Seattle Chapter
 
Digital lo Cambia Todo - Una presentación siempre en evolución.
Digital lo Cambia Todo - Una presentación siempre en evolución.Digital lo Cambia Todo - Una presentación siempre en evolución.
Digital lo Cambia Todo - Una presentación siempre en evolución.
 
Cbp Seminar Wed 13 May
Cbp Seminar Wed 13 MayCbp Seminar Wed 13 May
Cbp Seminar Wed 13 May
 
Mongolian embassies and consulates
Mongolian embassies and consulatesMongolian embassies and consulates
Mongolian embassies and consulates
 
Workshop om fremtidens salgsleder salget 2020
Workshop om fremtidens salgsleder salget 2020Workshop om fremtidens salgsleder salget 2020
Workshop om fremtidens salgsleder salget 2020
 
La Importancia De La Web 2
La Importancia De La Web 2La Importancia De La Web 2
La Importancia De La Web 2
 
GS Portfolio
GS PortfolioGS Portfolio
GS Portfolio
 
Informe de situación de la Gestión Administrativa de la Gerencia de Urbanismo
Informe de situación de la Gestión Administrativa de la Gerencia de UrbanismoInforme de situación de la Gestión Administrativa de la Gerencia de Urbanismo
Informe de situación de la Gestión Administrativa de la Gerencia de Urbanismo
 
Perdida de timempo[1]
Perdida de timempo[1]Perdida de timempo[1]
Perdida de timempo[1]
 
HoLT Presentation - ALA 2013
HoLT Presentation - ALA 2013HoLT Presentation - ALA 2013
HoLT Presentation - ALA 2013
 
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporanea
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporaneaCrisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporanea
Crisis de los 30 Schoenberg,alban berg, webern. taller d musica contemporanea
 
Proceedings deutscher tropentag 2003
Proceedings deutscher tropentag 2003Proceedings deutscher tropentag 2003
Proceedings deutscher tropentag 2003
 
Kalathos
KalathosKalathos
Kalathos
 
topigs balanced breeding presentation vietnam
topigs balanced breeding presentation vietnamtopigs balanced breeding presentation vietnam
topigs balanced breeding presentation vietnam
 
Los candidatos presidenciales desde la mirada de las marcas
Los candidatos presidenciales desde la mirada de las marcasLos candidatos presidenciales desde la mirada de las marcas
Los candidatos presidenciales desde la mirada de las marcas
 
Virtualizacion de Clusters para prevencion de DDoS
Virtualizacion de Clusters para prevencion de DDoSVirtualizacion de Clusters para prevencion de DDoS
Virtualizacion de Clusters para prevencion de DDoS
 

Similar a Integrating Application Security into a Software Development Process

Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentAchim D. Brucker
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP Technology
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
 
Improve Data Protection and Compliance with UI-Level Logging and Masking
Improve Data Protection and Compliance with UI-Level Logging and MaskingImprove Data Protection and Compliance with UI-Level Logging and Masking
Improve Data Protection and Compliance with UI-Level Logging and MaskingPatric Dahse
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Technology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitTechnology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitAndrew Kumar
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything CA Technologies
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraSOASTA
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraSOASTA
 
Applying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesApplying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesKartik Kanakasabesan
 
8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for SalesforceAutoRABIT
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevGene Kim
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...Cartegraph
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsVirtual Forge
 
Mobile pulse sept 2014
Mobile pulse sept 2014Mobile pulse sept 2014
Mobile pulse sept 2014Bjørn Sloth
 

Similar a Integrating Application Security into a Software Development Process (20)

Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 
Improve Data Protection and Compliance with UI-Level Logging and Masking
Improve Data Protection and Compliance with UI-Level Logging and MaskingImprove Data Protection and Compliance with UI-Level Logging and Masking
Improve Data Protection and Compliance with UI-Level Logging and Masking
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Technology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summitTechnology and Digital Platform | 2019 partner summit
Technology and Digital Platform | 2019 partner summit
 
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
Continuous Delivery Pipeline in the Cloud – How to Achieve Continous Everything
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest Mentora
 
The Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest MentoraThe Four Hats of Load and Performance Testing with special guest Mentora
The Four Hats of Load and Performance Testing with special guest Mentora
 
Applying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomesApplying lean, dev ops, and cloud for better business outcomes
Applying lean, dev ops, and cloud for better business outcomes
 
8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce
 
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows DevDOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
DOES16 San Francisco - Scott Prugh & Erica Morrison - When Ops Swallows Dev
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...
Loras College 2014 Business Analytics Symposium | Aaron Lanzen: Creating Busi...
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
Mobile pulse sept 2014
Mobile pulse sept 2014Mobile pulse sept 2014
Mobile pulse sept 2014
 

Más de Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofAchim D. Brucker
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetAchim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsAchim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeAchim D. Brucker
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantAchim D. Brucker
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsAchim D. Brucker
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...Achim D. Brucker
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesAchim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedAchim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service CompositionAchim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glassAchim D. Brucker
 

Más de Achim D. Brucker (16)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Integrating Application Security into a Software Development Process

  • 1. Dr. Achim D. Brucker 31. Januar 2013 Maßnahmen im Entwicklungsprozess zur Sicherstellung der Anwendungssicherheit Public
  • 2. © 2013 SAP AG. All rights reserved. 3Public SAP Today 54,500+ SAP employees worldwide 120 countries 25 industries 37 languages 75 country offices 1,200+ services partners worldwide
  • 3. © 2013 SAP AG. All rights reserved. 4Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  • 4. © 2013 SAP AG. All rights reserved. 5Public Costs of Computer Hacks Costs of Computer Hacks • TJX Company, Inc. (2007) $ 250 million • Sony (2011) $ 170 million • Heartland Payment Systems (2009) $ 41 million “A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts.” (http://financialedge.investopedia.com/financial-edge/0711/Most-Costly-Computer-Hacks-Of-All-Time.aspx)
  • 5. © 2013 SAP AG. All rights reserved. 6Public Time-line of the Sony Hack(s) (excerpt): • 2011-04-20 Sony PSN goes down • 2011-05-21 Sony BMG: data of 8300 users leaked (SQL Injection) • 2011-05-23 Sony Japanese database leaked (SQL Injection) • 2011-05-24 Sony Canada: roughly 2,000 leaked (SQL Injection) • 2011-06-05 Sony Pictures Russia (SQL Injection) • 2011-06-06 Sony Portugal: SQL injection, iFrame injection and XSS • 2011-06-20 20th breach within 2 months, 177k email addresses were grabbed via a SQL injection (http://hassonybeenhackedthisweek.com/history) Has Sony been Hacked this Week? http://hassonybeenhackedthisweek.com/
  • 6. © 2013 SAP AG. All rights reserved. 7Public A Bluffers Guide to SQL Injection Assume an SQL Statement for Selecting all users with user name userName from the table users. What happens if we choose the following (weird) userName: userName = "‟ or ‟1=‟1" Resulting in the following statement: statement = "SELECT * FROM „users‟ WHERE „name‟ = „’ or ’1’=’1’;" Which is equivalent to statement = "SELECT * FROM „users„;" statement="SELECT * FROM „users„ WHERE „name„ = ‟" + userName + "‟;" And selects the information about all users stored in the table users
  • 7. © 2013 SAP AG. All rights reserved. 8Public Insecure Software
  • 8. © 2013 SAP AG. All rights reserved. 9Public Evolution of Code
  • 9. © 2013 SAP AG. All rights reserved. 10Public Security Testing
  • 10. © 2013 SAP AG. All rights reserved. 11Public Dynamic Security Testing Characteristics • Black box approach • Sends input to applications and analyses response Advantages • Provides concrete examples (attacks) • Analyze dataflows across multiple components Disadvantages • Coverage unclear • Requires test system
  • 11. © 2013 SAP AG. All rights reserved. 12Public Static Security Testing Characteristics • White box approach • Analyses abstraction of the source (binary) Advantages • Explores all data paths / control flows • Can analyze single modules (unit test) Disadvantages • High false positive rate (not exploitable findings) • Does not consider application environment
  • 12. © 2013 SAP AG. All rights reserved. 13Public Security Code Scans at SAP: Overview Started rollout in June 2010 Centrally guided by a project team • Definition of Security Requirements • Establishment of Scan Infrastructure Support of the most important languages SAP development and third party code
  • 13. © 2013 SAP AG. All rights reserved. 14Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  • 14. © 2013 SAP AG. All rights reserved. 15Public Education • The prerequisite for achieving a high security quality Security awareness • Reducing the number of “built-in” security problems Trained persons • Analyze and fix vulnerabilities much more efficiently Trainings • Secure Programming, Build & Scan, Auditing, …. First Step: Security Training
  • 15. © 2013 SAP AG. All rights reserved. 16Public Secure Development Lifecycle (SDLC) at SAP Structure the investment of time and resources • to safeguard a high level of security • to ensure security standards across all areas Security requirements • are taken into account and • are implemented in all phases of product development
  • 16. © 2013 SAP AG. All rights reserved. 17Public The Different Roles Developer • fixes software security issues Security Expert • review scan results, decides on fixes Build Master • scans the source code, manages results Scrum Master • requests scan, assigns vulnerabilities to developers
  • 17. © 2013 SAP AG. All rights reserved. 18Public Infrastructure
  • 18. © 2013 SAP AG. All rights reserved. 19Public SAP Secure Software Development Life Cycle For passing D2P Q-gate, evidence has to be provided that the source code has been scanned and exploitables have been fixed. P2D: Planning to Development. / D2P: Development to Production. / P2R: Production to Ramp-up (gradual roll-out to customers). Code Scans
  • 19. © 2013 SAP AG. All rights reserved. 20Public Third Party Code Third party code • Open Source libraries and frameworks • Freeware • other third party components Different approaches • SAST analysis by SAP • Trusted (certified) vendors • Certificate from trusted third party (e.g., based on binary analysis) • SLA with vendor
  • 20. © 2013 SAP AG. All rights reserved. 21Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  • 21. © 2013 SAP AG. All rights reserved. 22Public Code Scan Facts Over 2000 developers are using SAST tools Over 500 MLOC scanned Over 15000 issues removed Statistics Jan 2012 ABAP Java C,C++,C# Java and COther languages
  • 22. © 2013 SAP AG. All rights reserved. 23Public Language Scan Application ABAP SAP C/C++ Coverity Others HP/Fortify Security Scan Tools used at SAP
  • 23. © 2013 SAP AG. All rights reserved. 24Public Security Requirements SAP on Corporate Security Requirements • SAP Applications shall be free of backdoors • SQL injection vulnerabilities shall be avoided • Cross-Site Scripting vulnerabilities shall be prevented • Directory traversal vulnerabilities shall be prevented • The system shall be protected against buffer overflow vulnerabilities OWASP Top 10 CWE/SANS Top 25 2011 CVE
  • 24. © 2013 SAP AG. All rights reserved. 25Public Continuous Improvement Collect feedback from the • Product Security Response Team • Development Teams Develop rules/models to improve the scans Continuously improve the infrastructure Continuously improve the rollout process
  • 25. © 2013 SAP AG. All rights reserved. 26Public Input to Improve Code Scans BuildSource Code Normalized/ Abstract Format Analyze/Scan Analysis Results Review and Fix Security Response Team Security Messages Security Code Scan Team Rules/Models/Template/Filters Further input channels: Development teams, internal research, scan reviews, code reviews
  • 26. © 2013 SAP AG. All rights reserved. 27Public Lessons Learned Scans have to be obligatory • but not introduced „brute force‟ Establish Secure Development Life Cycle • make scans a natural part of development Plan carefully • Do not start with scans right before Dev. Close • Do it regularly (nightly) • Do regression testing of new versions of the used tools • Do continuously discuss new threats with the security community Do not introduce changes during development
  • 27. © 2013 SAP AG. All rights reserved. 28Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  • 28. © 2013 SAP AG. All rights reserved. 29Public Challenges
  • 29. © 2013 SAP AG. All rights reserved. 30Public JavaScript I Unerstand the DOM Resulting in a DOM-based XSS attack Warning: DOM implementations are Browser specific <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring (pos,document.URL.length)); </SCRIPT> Welcome to our system Assume the following (simplified) index.html: And a call index.html?name=<script>alert(document.cookie)</script>
  • 30. © 2013 SAP AG. All rights reserved. 31Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead = document.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
  • 31. © 2013 SAP AG. All rights reserved. 32Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead =ndocument.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
  • 32. © 2013 SAP AG. All rights reserved. 33Public JavaScript III Server-Side JavaScript var entry=JSON.parse(data); query = “insert into ”FOO(“.NAME”)””; var conn = $.db.getConnection(); conn.execute(query); Combining the complexity of both worlds:
  • 33. © 2013 SAP AG. All rights reserved. 34Public Challenges: Current Trends SAST works very well for • “traditional” programming languages • Analyzing data paths within one technology Many new development uses JavaScript • HTML5 / JavaScript UIs • Server-side JavaScript JavaScript • Untyped / dynamically typed • Dynamic programming model “You cannot pay people well enough, to do proper code audits. I tried it.” Yaron Minsky, Jane Street Capital
  • 34. Thank you Contact information: Dr. Achim D. Brucker Senior Researcher Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe achim.brucker@sap.com http://xkcd.com/327/