SlideShare una empresa de Scribd logo

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica
Imola Informatica

Slides from our talk @Devoxx MA 2018. We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.

Tecnología
1 de 49
Descargar para leer sin conexión
SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
A little patch… #SSDLC@imolinfo
Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
Security misconceptions …or products or tools either #SSDLC@imolinfo
Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
Security as a Process #SSDLC@imolinfo Security should be a process
Software Development LifeCycle SDLC #SSDLC@imolinfo «Security» goes here
A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
Security Testing Tools #SSDLC@imolinfo Security should be testable
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
SonarQube #SSDLC@imolinfo A comprehensive platform for Quality Assurance and Static Analysis Source Testing
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
#SSDLC@imolinfo Let’s play!
Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
Security KPI Security should be measurable #SSDLC@imolinfo
CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo
Luca Molari lmolari@imolainformatica.it @LMolr Stefano Monti smonti@imolainformatica.it @Ste_Monti Alessandro Proscia aproscia@imolainformatica.it @alex184it #SSDLC@imolinfo

Recomendados

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
thariyarox
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
Alfred Ouyang
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 

Recomendados

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependencies
thariyarox
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
Alfred Ouyang
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Agile Process models
Agile Process modelsAgile Process models
Agile Process models
Student
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
Srishti Ahuja
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Splunk Architecture overview
Splunk Architecture overviewSplunk Architecture overview
Splunk Architecture overview
Alex Fok
 
Introduction To Software Engineering
Introduction To Software EngineeringIntroduction To Software Engineering
Introduction To Software Engineering
Leyla Bonilla
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
Mohibullah Saail
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
DevOps Presentation.pptx
DevOps Presentation.pptxDevOps Presentation.pptx
DevOps Presentation.pptx
Abdullah al Mamun
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 

Más contenido relacionado

La actualidad más candente

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
Liran Tal
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 

La actualidad más candente (20)

Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Agile Process models
Agile Process modelsAgile Process models
Agile Process models
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Splunk Architecture overview
Splunk Architecture overviewSplunk Architecture overview
Splunk Architecture overview
 
Introduction To Software Engineering
Introduction To Software EngineeringIntroduction To Software Engineering
Introduction To Software Engineering
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
DevOps Presentation.pptx
DevOps Presentation.pptxDevOps Presentation.pptx
DevOps Presentation.pptx
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 

Similar a Secure Software Development Lifecycle - Devoxx MA 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
Ballerina
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
Source Conference
 

Similar a Secure Software Development Lifecycle - Devoxx MA 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Secure Software Development Lifecycle - Devoxx MA 2018

  • 1. SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
  • 2. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
  • 3. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
  • 5. Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
  • 6. Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
  • 7. GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
  • 8. Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
  • 9. Security misconceptions …or products or tools either #SSDLC@imolinfo
  • 10. Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
  • 11. Security as a Process #SSDLC@imolinfo Security should be a process
  • 13. A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
  • 14. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 15. SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
  • 16. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 17. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 19. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 20. SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
  • 21. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
  • 22. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
  • 23. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 24. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 25. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
  • 28. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 29. Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
  • 30. Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
  • 31. Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
  • 32. Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
  • 33. Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
  • 35. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 36. DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
  • 37. Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
  • 39. Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
  • 40. Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
  • 41. Security KPI Security should be measurable #SSDLC@imolinfo
  • 42. CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
  • 43. CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
  • 44. CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
  • 45. WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
  • 46. Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
  • 47. Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
  • 48. Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo