Security as a part of quality assurance

•

0 recomendaciones•915 vistas

Boy Baukema

Tecnología

In custom software,  
if you haven’t properly tested it, it probably
doesn’t work.

This goes for both functional and nonfunctional
requirements.

!
Worse yet if you  
don’t even know what ‘it’ is supposed to be.

Boy Baukema
Security Specialist @ Ibuildings.nl

Security what?
Senior Engineer
+ interest in WebAppSec
+ 4 hours a week R&D
+ internal training & consultancy
+ internal & external auditing

The plan
1. The journey
2. The holy grail
3. Riding off into the sunset

– My CTO
“Make security something I can sell,
give managers a knob to turn.”

LEVEL 1 LEVEL 2 LEVEL 3
CHAPTER 1 
1.1 
1.2 
1.3
!
X
!
!
X
!
X
!
X
X
X
CHAPTER 2 
2.1 
2.2 
2.3
X 
X
 
X
X 
X
!
X
X 
X

ASVS (2013) Levels
Level 0 - Bullshit compliance level (0)
Level 1 - Opportunistic (47)
Level 2 - Standard (136)
Level 3 - Advanced (164)

ASVS Chapters
V1. Authentication
V2. Session Management
V3. Access Control
V4. Input Validation
V5. Cryptography (at Rest)
V6. Error Handling and
Logging
V7. Data Protection
!
V8. Communication Security
V9. HTTP Security
V10. Malicious Controls
V11. Business Logic
V12. Files and Resources
V13. Mobile

V1.4. Verify that credentials and all other
identity information handled by the application
does not traverse unencrypted or weakly
encrypted links.
(level 1, 2 & 3)
!

–OWASP ASVS 2009 Level 2
V2.7 Verify that the strength of any
authentication credentials are suﬃcient to
withstand attacks that are typical of the threats
in the deployed environment.

AASVS 2009, Scanners &  
Report Generator

–OWASP ASVS 2013 Beta,  
Application Security
Veriﬁcation Levels
“… scope of the veriﬁcation may go beyond the
application’s custom-built code and include
external components. Achieving a veriﬁcation
level under such scrutiny can be represented
by annotating a “+” symbol to the veriﬁcation
level”

Security Testing
One aspect of a Secure Development LifeCycle

Más contenido relacionado

Destacado

Session 1: ICT & Meaningful LearningAshley Tan

ICT Quality AssuranceAshley Tan

Test Life CycleNilesh Patange

Quality Assurance in Software Ind.Heritage Institute Of Tech,India

2 quality assuranceJyothi Chinnasamy

Quality Assurance Vs Quality ControlYogita patil

Introduction To Software Quality Assuranceruth_reategui

Quality Assurance and Software Testingpingkapil

QUALITY ASSURANCEPharmaceutical

Destacado (9)

Session 1: ICT & Meaningful Learning

ICT Quality Assurance

Test Life Cycle

Quality Assurance in Software Ind.

2 quality assurance

Quality Assurance Vs Quality Control

Introduction To Software Quality Assurance

Quality Assurance and Software Testing

QUALITY ASSURANCE

Similar a Security as a part of quality assurance

Dpc14 security as part of Quality AssuranceBoy Baukema

Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena

Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.

Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.

Building an AppSec Team Extended CutMike Spaulding

Mike Spaulding - Building an Application Security Programcentralohioissa

개발자가 알아야 할 보안Johnny Cho

Security Services and Approach by Nazar TymoshykSoftServe

Agnitio: its static analysis, but not as we know itSecurity BSides London

SecurityZuko Lopez

What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen

Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCRAW CYBER SECURITY PVT LTD

Application Security Risk AssessmentThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²

Software risk managementJose Javier M

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE

Owasp tdssnyff

Horusec - Security & VulnerabilityKnoldus Inc.

The Principles of Secure Development - BSides Las Vegas 2009Security Ninja

Keynote Session : NIST - Cyber Security Framework Measuring SecurityPriyanka Aash

12 Crucial Windows Security Skills for 2018Paula Januszkiewicz

Similar a Security as a part of quality assurance (20)

Dpc14 security as part of Quality Assurance

Security as a New Metric for Your Business, Product and Development Lifecycle...

Security as a new metric for Business, Product and Development Lifecycle

Agile and Secure Development

Building an AppSec Team Extended Cut

Mike Spaulding - Building an Application Security Program

개발자가 알아야 할 보안

Security Services and Approach by Nazar Tymoshyk

Agnitio: its static analysis, but not as we know it

Security

What Every Developer And Tester Should Know About Software Security

Certified Ethical Hacking (CEH V9) Course Details | EC-Council

Application Security Risk Assessment

Software risk management

wannabe Cyberpunk; “I don’t know what I’m supposed to do.”

Owasp tds

Horusec - Security & Vulnerability

The Principles of Secure Development - BSides Las Vegas 2009

Keynote Session : NIST - Cyber Security Framework Measuring Security

12 Crucial Windows Security Skills for 2018

Más de Boy Baukema

Security horrorsBoy Baukema

Tampering with JavaScriptBoy Baukema

Code by the sea: Web Application SecurityBoy Baukema

Ibuildings ISO 27001 lunchboxBoy Baukema

OWASP ASVS 3 - What's new for level 1?Boy Baukema

Verifying Drupal modules with OWASP ASVS 2014Boy Baukema

Secure Drupal, from start to finishBoy Baukema

Recursive descent parsingBoy Baukema

SURFconext and MobileBoy Baukema

WebAppSec @ Ibuildings in 2014Boy Baukema

Let's build a parser!Boy Baukema

Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema

Más de Boy Baukema (12)

Security horrors

Tampering with JavaScript

Code by the sea: Web Application Security

Ibuildings ISO 27001 lunchbox

OWASP ASVS 3 - What's new for level 1?

Verifying Drupal modules with OWASP ASVS 2014

Secure Drupal, from start to finish

Recursive descent parsing

SURFconext and Mobile

WebAppSec @ Ibuildings in 2014

Let's build a parser!

Javascript: 8 Reasons Every PHP Developer Should Love It

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics

A Domino Admins Adventures (Engage 2024)Gabriella Davis

GenCyber Cyber Security Day PresentationMichael W. Hawkins

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

Tech Trends Report 2024 Future Today Institute.pdfhans926745

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

Real Time Object Detection Using Open CVKhem

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

A Year of the Servo Reboot: Where Are We Now?Igalia

The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Histor y of HAM Radio presentation slidevu2urc

Developing An App To Navigate The Roads of BrazilV3cube

presentation ICT roal in 21st century educationjfdjdjcjdnsjd

Security as a part of quality assurance

1. Security A part of Quality Assurance

2. In custom software,   if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and nonfunctional requirements. ! Worse yet if you   don’t even know what ‘it’ is supposed to be.

3. Boy Baukema Security Specialist @ Ibuildings.nl

4. Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy + internal & external auditing

5. Wait, where?

6. You

7. The plan 1. The journey 2. The holy grail 3. Riding off into the sunset

10. – My CTO “Make security something I can sell, give managers a knob to turn.”

11.

12. LEVEL 1 LEVEL 2 LEVEL 3 CHAPTER 1  1.1  1.2  1.3 ! X ! ! X ! X ! X X X CHAPTER 2  2.1  2.2  2.3 X  X   X X  X ! X X  X

13. ASVS (2013) Levels Level 0 - Bullshit compliance level (0) Level 1 - Opportunistic (47) Level 2 - Standard (136) Level 3 - Advanced (164)

14. ASVS Chapters V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection ! V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile

15. V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) !

16.

17. –OWASP ASVS 2009 Level 2 V2.7 Verify that the strength of any authentication credentials are suﬃcient to withstand attacks that are typical of the threats in the deployed environment.

18. AASVS 2009, Scanners &   Report Generator

19. –Sahba Kazerooni “Done any day now!”

20. –OWASP ASVS 2013 Beta,   Application Security Verification Levels “… scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level”

21. OWASP AASVS 2013

22. Security Assurance Maturity Model

23. Security Testing One aspect of a Secure Development LifeCycle

24. To be continued...