SlideShare a Scribd company logo

Secured Development

Burhan Khalid
Burhan Khalid

Burhan Khalid presented on secure software development practices. He discussed the three Ps of security - People, Process, and Persistence/Practice. He emphasized that security is not just about products but also development practices. Standards for secure development include SSE-CMM, TSP-Secure, and SAMM. Practical best practices include standardizing infrastructure, isolating development environments, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures code security.

Technology
1 of 19
Download to read offline
SECURE DEV. BURHAN KHALID BURHAN.KHALID@GMAIL.COM
TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving
THANK YOU QUESTIONS @BURHAN – HTTP://SPKR8.COM/S/15462

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)Matthew J. Bailey , MCT
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!M A Hossain Tonu
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 

More Related Content

What's hot

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 

What's hot (20)

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best Practices
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of code
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extension
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websites
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor Day
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environment
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word press
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome Extensions
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Starts
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology Stacks
 

Similar to Secured Development

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version ControlRed Gate Software
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentShawn Jones
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsRed Gate Software
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalAnna Royzman
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechIIITA
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 

Similar to Secured Development (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version Control
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven Development
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deployments
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btech
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Secured Development

  • 2. TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
  • 3. THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
  • 4. WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
  • 5. STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
  • 6. PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
  • 7. STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
  • 8. ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
  • 9. TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
  • 10. GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
  • 11. PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
  • 12. TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
  • 13. ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
  • 14. COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
  • 15. COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
  • 16. Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
  • 17. CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
  • 18. 3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving