SlideShare una empresa de Scribd logo

App Sec Eu08 Sec Frm Not In Code

Samuele Reghenzi
Samuele Reghenzi

My presentation at App Sec Eu08 GANT

Tecnología
1 de 21
OWASP Europe Conference 2008 Security framework is not in the code Sam Reghenzi OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Do we really need more security in our software? OWASP
Do we really need more security in our software? OWASP
Do we really need more security in our software? Number of security related vulnerabilities OWASP
Do we really need more security in our software? Number of security related vulnerabilities We need to build better software OWASP
#1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle OWASP
#1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle Application security is inside the application not around it OWASP
Traditions (And other bad habits) Security is a network problem and it can be solved with hardware No budget in development Software not developed in a security aware life cycle OWASP
Establish security in your DL Software engineering Find best practice to fit your team or company Test for abuse, not only for good use Measure code, bug and progress Social engineering Make good friends Be aware of your business compliancy Wait... something bad will happen OWASP
The ROI Problem Security in software development brings no direct revenue #1 Reduce costs #2 Bring evidence of risks #3 Sell security as a value OWASP
[Static]Code analysis Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
[Static]Code analysis The poor man so!ware security Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
Security Risk management Manage knowledge, identify risks, rank them and fix them Context Risk Sort Fix OWASP
Security Risk management Gather documentation #1 Gather information from management Gather information from the team Gather information from artifacts #2 Organize everything #3 Make the deal OWASP
Hot stages of SDLC The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
Hot stages of SDLC Traditional The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Touchpoints Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
Historical knowledge Know your enemies Find exploit earlier Find focus Prevent attack patterns Enrich security management framework OWASP
Tips Jump on the High availability train Mitigate Web 2.0 Deliver something concrete In Rome act like a Roman OWASP
Q&A ? OWASP

Recomendados

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Secure development of code
Secure development of codeSecure development of code
Secure development of codeSalomeVictor
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 

Recomendados

Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Secure development of code
Secure development of codeSecure development of code
Secure development of codeSalomeVictor
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...Yandex
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security CertificationVskills
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data SheetJon Lundquist
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 

Más contenido relacionado

La actualidad más candente

Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec MattersInnoTech
 
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...Yandex
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security CertificationVskills
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...Achim D. Brucker
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 

La actualidad más candente (19)

Security best practices
Security best practicesSecurity best practices
Security best practices
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמן
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09
 
Why AppSec Matters
Why AppSec MattersWhy AppSec Matters
Why AppSec Matters
 
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
Николай Бьернер «Program Analysis and Testing using Efficient Satisfiability ...
 
Software Security Certification
Software Security CertificationSoftware Security Certification
Software Security Certification
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 

Similar a App Sec Eu08 Sec Frm Not In Code

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflowIan Sommerville
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applicationsalexbe
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscapestevecooper930744
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsNetcetera
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteAntonio Fontes
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמןlihig
 
Omri
OmriOmri
Omrilihig
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 

Similar a App Sec Eu08 Sec Frm Not In Code (20)

Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...Security as a New Metric for Your Business, Product and Development Lifecycle...
Security as a New Metric for Your Business, Product and Development Lifecycle...
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Security case buffer overflow
Security case buffer overflowSecurity case buffer overflow
Security case buffer overflow
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
NessPRO Italy on CAST
NessPRO Italy on CASTNessPRO Italy on CAST
NessPRO Italy on CAST
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital LandscapeDevSecOps Best Practices-Safeguarding Your Digital Landscape
DevSecOps Best Practices-Safeguarding Your Digital Landscape
 
ONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web ApplicationsONE Conference: Vulnerabilities in Web Applications
ONE Conference: Vulnerabilities in Web Applications
 
PHP under control
PHP under controlPHP under control
PHP under control
 
Confoo 2012 - Web security keynote
Confoo 2012 - Web security keynoteConfoo 2012 - Web security keynote
Confoo 2012 - Web security keynote
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Ibm עמרי וייסמן
Ibm עמרי וייסמןIbm עמרי וייסמן
Ibm עמרי וייסמן
 
Omri
OmriOmri
Omri
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 

Más de Samuele Reghenzi

Scimmie noccioine e Frameworks
Scimmie noccioine e FrameworksScimmie noccioine e Frameworks
Scimmie noccioine e FrameworksSamuele Reghenzi
 
continuous integration rubyday Italy 2011
continuous integration rubyday Italy 2011continuous integration rubyday Italy 2011
continuous integration rubyday Italy 2011Samuele Reghenzi
 
Ugialtnet openid presentation
Ugialtnet openid presentationUgialtnet openid presentation
Ugialtnet openid presentationSamuele Reghenzi
 

Más de Samuele Reghenzi (6)

Scimmie noccioine e Frameworks
Scimmie noccioine e FrameworksScimmie noccioine e Frameworks
Scimmie noccioine e Frameworks
 
Why i hate node js
Why i hate node jsWhy i hate node js
Why i hate node js
 
Django story webdebs
Django story webdebsDjango story webdebs
Django story webdebs
 
continuous integration rubyday Italy 2011
continuous integration rubyday Italy 2011continuous integration rubyday Italy 2011
continuous integration rubyday Italy 2011
 
Ugialtnet openid presentation
Ugialtnet openid presentationUgialtnet openid presentation
Ugialtnet openid presentation
 
OpenId @JavaDayRoma
OpenId @JavaDayRomaOpenId @JavaDayRoma
OpenId @JavaDayRoma
 

Último

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

App Sec Eu08 Sec Frm Not In Code

  • 1. OWASP Europe Conference 2008 Security framework is not in the code Sam Reghenzi OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Do we really need more security in our software? OWASP
  • 3. Do we really need more security in our software? OWASP
  • 4. Do we really need more security in our software? Number of security related vulnerabilities OWASP
  • 5. Do we really need more security in our software? Number of security related vulnerabilities We need to build better software OWASP
  • 6. #1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle OWASP
  • 7. #1 What we mean with Security Framework It is not Authentication and authorization Encryption Firewall software It could be An enterprise security approach A risk management framework for security related threats Defined steps in your (Secure) development life cycle Application security is inside the application not around it OWASP
  • 8. Traditions (And other bad habits) Security is a network problem and it can be solved with hardware No budget in development Software not developed in a security aware life cycle OWASP
  • 9. Establish security in your DL Software engineering Find best practice to fit your team or company Test for abuse, not only for good use Measure code, bug and progress Social engineering Make good friends Be aware of your business compliancy Wait... something bad will happen OWASP
  • 10. The ROI Problem Security in software development brings no direct revenue #1 Reduce costs #2 Bring evidence of risks #3 Sell security as a value OWASP
  • 11. [Static]Code analysis Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
  • 12. [Static]Code analysis The poor man so!ware security Add security awareness in code reviews Add security blue prints in automatic code analysis Fix codebase and third party software OWASP
  • 13. Security Risk management Manage knowledge, identify risks, rank them and fix them Context Risk Sort Fix OWASP
  • 14. Security Risk management Gather documentation #1 Gather information from management Gather information from the team Gather information from artifacts #2 Organize everything #3 Make the deal OWASP
  • 15. Hot stages of SDLC The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  • 16. Hot stages of SDLC Traditional The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  • 17. Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  • 18. Hot stages of SDLC Traditional Agile The architectural design User stories The development Test driven The test Iterations The enhancement Touchpoints Code review Abuse cases Penetration testing Security requirements Risk analysis OWASP
  • 19. Historical knowledge Know your enemies Find exploit earlier Find focus Prevent attack patterns Enrich security management framework OWASP
  • 20. Tips Jump on the High availability train Mitigate Web 2.0 Deliver something concrete In Rome act like a Roman OWASP
  • 21. Q&A ? OWASP