SlideShare una empresa de Scribd logo

Security Meetup in Lviv

Descargar como PPTX, PDF
Nazar Tymoshyk, CEH, Ph.D.
Nazar Tymoshyk, CEH, Ph.D.

Security as a new metric for Business, Product and Development Lifecycle

Tecnología
1 de 68
Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
Agenda Business Products Your imaginary Questions Developers
BUSINESS
A rough year in 2012
A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
http://www.informationisbeautiful.net/visualizations/wor
WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
If your Cloud server is hacked….
PRODUCT
Simple ROI of Product security
Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
Typical Security Report delivered by competitor
How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
Remember I'm offering you the truth. Nothing More. To do Security or not to Do
QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
Report sample
DEVELOPMENT
Risks are for managers, not developers
PEOPLE always bypass restriction if possible Keep in mind this when you design security
• Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
Mobile banking app from Pakistan
What is wrong?
Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
What is wrong on next stage of Login process?
Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
Browser exploitation framework
Social Engineering
SQL-Injections to win a Trip Dumped admin password hashes
Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
Why so simple?
Story about Hybrid Mobile Development in India
Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
WEAK Cryptography v Was cleaned up by Vendor Team
REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
DEVELOPER TEAM FACEPALM v
ENCRYPTION PASSWORD AFTER APPSTORE RELEASE vv v v v v
SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
All Apps are considered safe until proven guilty by a security review Financial Institution
SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
Customers database dump
defaults and sample files
Forgotten Files on server
Upload Java shell and take server under control
Are your product Popular? You are Next Target
How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
Add Security into your PROCESS
Security
THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS
Home Work

Recomendados

Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through InjectionsNazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 

Recomendados

Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through InjectionsNazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Now – paramore
Now – paramoreNow – paramore
Now – paramoreCharLilyMay
 

Más contenido relacionado

La actualidad más candente

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 

La actualidad más candente (20)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 

Destacado

Now – paramore
Now – paramoreNow – paramore
Now – paramoreCharLilyMay
 
電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキート電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキートJunOhashi
 
私的CSS変遷史
私的CSS変遷史私的CSS変遷史
私的CSS変遷史seckie
 
Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4Gerard Umans
 
Superbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett FranceSuperbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett FrancePlanningLeoBurnettFrance
 
Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)DribbleLogics
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinalsunilareddyk
 
Functional UI and Unidirectional Dataflow
Functional UI and Unidirectional DataflowFunctional UI and Unidirectional Dataflow
Functional UI and Unidirectional Dataflowmikaelbr
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyBritney Stanley-Wyatt
 
Ib estonia justification
Ib estonia justificationIb estonia justification
Ib estonia justificationMark Maslov
 
places in the City
places in the Cityplaces in the City
places in the CityMonica Reyes
 
Focus group analysis
Focus group analysisFocus group analysis
Focus group analysisCharLilyMay
 
Web Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and RachelWeb Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and RachelRachelMcKinzie
 

Destacado (20)

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Now – paramore
Now – paramoreNow – paramore
Now – paramore
 
電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキート電撃の巨人 by チームモスキート
電撃の巨人 by チームモスキート
 
Andrés alfaro salas
Andrés alfaro salasAndrés alfaro salas
Andrés alfaro salas
 
Team 15
Team 15Team 15
Team 15
 
私的CSS変遷史
私的CSS変遷史私的CSS変遷史
私的CSS変遷史
 
Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4Geldvoorelkaar journaal 4
Geldvoorelkaar journaal 4
 
Kelompok butterfly
Kelompok butterflyKelompok butterfly
Kelompok butterfly
 
Superbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett FranceSuperbowl Ad review vu par Leo Burnett France
Superbowl Ad review vu par Leo Burnett France
 
Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)Dhanwantari Immurich: (Info of Cow Colostrum)
Dhanwantari Immurich: (Info of Cow Colostrum)
 
15082005174118 wca article-vfinal
15082005174118 wca article-vfinal15082005174118 wca article-vfinal
15082005174118 wca article-vfinal
 
Functional UI and Unidirectional Dataflow
Functional UI and Unidirectional DataflowFunctional UI and Unidirectional Dataflow
Functional UI and Unidirectional Dataflow
 
Work4 22
Work4 22Work4 22
Work4 22
 
August 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & TazzyAugust 9 Treasure Emporium with Britty & Tazzy
August 9 Treasure Emporium with Britty & Tazzy
 
Ib estonia justification
Ib estonia justificationIb estonia justification
Ib estonia justification
 
places in the City
places in the Cityplaces in the City
places in the City
 
Botacora de tecnologia
Botacora de tecnologiaBotacora de tecnologia
Botacora de tecnologia
 
Focus group analysis
Focus group analysisFocus group analysis
Focus group analysis
 
Team11
Team11Team11
Team11
 
Web Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and RachelWeb Design Principles - Jessica, Grant, and Rachel
Web Design Principles - Jessica, Grant, and Rachel
 

Similar a Security Meetup in Lviv

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief TourRobert Keefer
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changerJaap Karan Singh
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceBoy Baukema
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxAardwolf Security
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 

Similar a Security Meetup in Lviv (20)

Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Dpc14 security as part of Quality Assurance
Dpc14 security as part of Quality AssuranceDpc14 security as part of Quality Assurance
Dpc14 security as part of Quality Assurance
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 

Más de Nazar Tymoshyk, CEH, Ph.D.

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionNazar Tymoshyk, CEH, Ph.D.
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рухNazar Tymoshyk, CEH, Ph.D.
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievNazar Tymoshyk, CEH, Ph.D.
 

Más de Nazar Tymoshyk, CEH, Ph.D. (7)

Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
CIA Hacking Organization in the Nutshell
CIA Hacking Organization in the NutshellCIA Hacking Organization in the Nutshell
CIA Hacking Organization in the Nutshell
 
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
"Аеророзвідка-Львів": Розвиток безпілотної авіації через волонтерський рух
 
Automotive security testing
Automotive security testing Automotive security testing
Automotive security testing
 
Проект реабілітації військових в ІТ
Проект реабілітації військових в ІТПроект реабілітації військових в ІТ
Проект реабілітації військових в ІТ
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Security Meetup in Lviv

  • 1. Security as a New Metric for Your Business, Product and Development Lifecycle by Nazar Tymoshyk, SoftServe, Ph.D., CEH
  • 2. OWASP Chapter Lviv запрошує на останню зустріч групи OWASP Ukraine цього року. Проведіть чудові 2 дні у Львові з найкращими Security спеціалістами України. Реєстрація у: https://goo.gl/5hdvPH http://owasp-lviv.blogspot.com/ Тематика: • Безпека Веб і Мобільних аплікацій • Взлом REST і JavaScript базованих аплікацій • Розслідування взломів • Reverse-Engineering • Розвод, кідалово і маніпуляція свідомістю юзерів • Хмарна і безхмарна безпека • Фізичний взлом + Escape Quest 14 листопада 2015, субота, Львів, вул. Садова 2А Львівка кава, кавярні і пиво, круте товариство, нові знайомства, воркшопи, знання на халяву – все це чекає на вас у нашому затишному місті! OWASP Ukraine 2015 Security meetup у Львові
  • 3. Physical Hacking Escape quest OWASP Ukraine 2015 Lviv meetup, November 14, 2015 Elite HACKERS Industry Experts The most interesting Security event of Ukraine Hands on Labs Collaboration Competition Powered by
  • 4. Security as a metric Total served: 24 Completed: 10 Internal: 3 Lost: 14 Win rate: 67% H1 2014 Total served: 26 Completed: 12 Internal: 3 Lost: 14 Win rate: 46% H1 2015 Updated business model allow us to generate more revenue from same amount of opportunities
  • 7. A rough year in 2012
  • 8. A more challenging year - 2013 • Akamai reports that 2013 attack traffic is averaging over 86% above normal. • This report shows April 30 attack traffic is 117.53% higher than the 42% increase seen in 2012
  • 10.
  • 11.
  • 12. WHY your clients NEED Security Industry Compliance Government Regulation Business availability Capitalization Statistic of Breaches Customer requirement Previous bad experience
  • 13. Consequences of Security FAILURE Trust Money Data stolen Time to recover Penalties for incident Customers Reputation
  • 14. Super user Subscriptions Your very sad client Penalty tool We were hacked because of YOU!
  • 15. If your Cloud server is hacked….
  • 17. Simple ROI of Product security
  • 18. Connected Cars are part of smart houses smart TVs smart watches smart phones smart cars smart fridges ????
  • 19. Typical Security Report delivered by competitor
  • 20. How security is linked to development Than start process of re-Coding, re-Building, re-Testing, re-Auditing 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing
  • 21. Design Build Test Production GENERIC APPROACH FOR SECURITY security requirements / risk and threat analysis coding guidelines /code reviews/ static analysis security testing / dynamic analysis vulnerability scanning / WAF Reactive ApproachProactive Approach Secure SDLC
  • 22. How it should look like With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual Security/penetration Testing OWASP methodology Secure Coding trainings Regular Vulnerability Scans Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
  • 23.
  • 24. Remember I'm offering you the truth. Nothing More. To do Security or not to Do
  • 25. QA Engineer Security expert In functional and performance testing, the expected results are documented before the test begins, and the quality assurance team looks at how well the expected results match the actual results In security testing, security analysts team is concerned only with unexpected results and testing for the unknown and looking for weaknesses. They are EXPERTS. VS.
  • 26. Our app code need to be verified for Security PM and SoftServe Demonstrate excellence Competitiveadvantage Reporting for 2 security experts Report with findings Fix it! Non compliant?Good boys! Security Center of Excellence Request App verification PM • Explain security defect and severity • Fix identified security defects • Train developers and QA • Transfer checklists and guides GreatAchievement Scenario 1. PM worried about security on project. Code micro-assessment. Re-check Monitor Next page How to present to client and earn more $$$ ? • Scan sources with Tools • Filtering False Positive • Compile report • Review architecture • Dynamic test • Rate risks Delivery Director/PM
  • 27. Oh Rashid, Who wrote it? We have found some security issues with your legacy code Indian team. Our security experts can perform comprehensive Security Assessment And then our dev team will fix identified defects as it put other projects under risk Ok, do it. How much should it cost? Only $XX.XXX for Security AssessmentDeal! Do it ASAP. 1 2 34
  • 30. Risks are for managers, not developers
  • 31. PEOPLE always bypass restriction if possible Keep in mind this when you design security
  • 32. • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Implement Requirements as they can • Testing it’s for QA job «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman Developer & Security
  • 33. Why code analysis do not resolve a problem? Many of the CWE vulnerability types, are design issues, or business logic issues. Application security testing tools are being sold as a solution to the problem of insecure software.
  • 34. Mobile banking app from Pakistan
  • 36. Recommended error messages by OWASP Incorrect Response Examples "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" Correct Response Example "Login failed; Invalid userID or password" https://www.owasp.org/index.php/Authentication_Cheat_Sheet
  • 37. What is wrong on next stage of Login process?
  • 38. Critical Business Logic bypass There was possibility to get personal info (promo code, email, password etc.) of subscription which is not related to currently logged User using
  • 39. Critical Business Logic bypass There was possibility to make changes to personal info of subscription (email, password, name e.g.) using User.updateSubscription method even in case appropriate user is not logged in
  • 40. Critical Business Logic bypass • There is possibility to convert any standalone subscriptions to managed no matter whether appropriate user is logged in or not using User.setSubscriptionToManaged function (you can make any user to pay for paid features of your subscriptions)
  • 41. Critical Business Logic bypass There was possibility to delete subscriptions/credit card which are not related to currently logged user using User.deleteSubscription/deleteCredit Card function
  • 44. SQL-Injections to win a Trip Dumped admin password hashes
  • 45. Simple SOAP request fuzzing allow collecting information about existent system users, their emails, VIN, Last access time, user ID and other confidential, user/car related information Broken Session management
  • 47. Story about Hybrid Mobile Development in India
  • 48. Reversing Java/iOS application this app feature Reversing Java / iOS application this app feature
  • 49. WEAK Cryptography v Was cleaned up by Vendor Team
  • 50. REMOVED CODE APPEARS AGAIN IN APPSTORE APP v Appear Again in App from AppStore
  • 51. HARDCODED CREDENTIALS v v v Severity: Critical (C )/P1 Business impact: Medium (M)/P3
  • 52. BACKEND SECURITY v v Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 53. WEAK PASSWORDS Severity: Critical (C )/P1 Business impact: Critical (C )/P1
  • 56. SENSITIVE FILE ARTIFACTS v Severity: Low (L)/P4. Business impact: No business impact v v
  • 57. All Apps are considered safe until proven guilty by a security review Financial Institution
  • 58. SENSITIVE CLIENT INFORMATION AS A CONSEQUENCE – CUSTOMERS TRUST COULD BE LOST.
  • 62. Upload Java shell and take server under control
  • 64. How to PROTECT? Security Frameworks Right Security Requirements Penetration Testing Code Scan and Review Security Trainings Threat Modelling Dedicated Security Expert OWASP.org
  • 65. Add Security into your PROCESS
  • 67. THANK YOU 67 Contact me: skype: root_nt email: root.nt@gmail.com Join OWASP: http://owasp-lviv.blogspot.com/ FEEDBACK & QUESTIONS

Notas del editor

  1. майндмапа дала зрозуміти які сценарії і як використовувати щоб приносити бенефіти на існуючих проектах сценарії бабло інволвмент виконавці часові фрейми усування конкурентів вирішення ряду бізнес проблем наприклад усунення конкурентів