SlideShare ist ein Scribd-Unternehmen logo

Just4Meeting 2012 - How to protect your web applications

Magno Logan
Magno Logan

Just4Meeting 2012 - How to protect your web applications Julho de 2012 em Cascais, Portugal. http://www.just4meeting.com/

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
About Me Who am I? • Ex-developer • Security Analyst • Chapter Leader • Investments • Martial Arts
Paraíba?! I’m here! • Caipirinha • Soccer • Samba • Girls We have it all!
I live where you take vacations, sorry! =)
Agenda • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems (maybe?)
They are everywhere!
They are everywhere! And they have bugs everywhere! • The cost of a data breach averages $5.5 million or $194 per customer record* • Companies that take security seriously can reduce the cost per customer by up to 62% * From a 2011 study by the Ponemon Institute
What are we doing wrong? • Secure application development is a top priority • But web applications are still the number one source of data breaches • We need to change the mindset of software development *From a 2011 Forrester Research study: Application Security: 2011 & Beyond
What are we doing wrong? • We’re in 2012 and SQL Injection is still the biggest issue! • The first public issue dates from 1998 • SQL Injections can lead to shell access now!
Why these still happens? Excuses to the problems: • Security is not important! Money is! • There is no time! • Developer’s fault! They are the scape goat of security!
Back to the basics CIA Triad
Now what? So, how to protect our apps?! 1. Threat Modeling 2. Security Testing 3. Code Review 4. SDL
Threat Modeling
Threat Modeling • Structured approach to identify and measure risks • It defines the security requisites • Allows the design to address the security issues • Helps the security testing and code reviews
Threat Modeling Process 1. Identify your assets 2. Create an architectural view 3. Decompose the software 4. Identify, document and classify the threats to your app
(Security) Design Patterns • Use them! There a lot out there! • Don’t reinvent the wheel! • Exception Handling • Input Validation • Protected Logging
Development Phase • Use a guide to implement your security, like the OWASP Developer’s Guide • Use unit test cases focused on security • Present security training to developers • Perform penetration testing and code reviews
OWASP Top 10 2010 Testing, testing, testing…
2011 CWE/SANS Top 25 And more testing…
So what do they do? • Protect you from common mistakes • Avoid you from getting hacked by automated tools/scanners and script kiddies By the way, if you work with AppSec and you never heard of these two docs…
You need to find another job!
How to apply them? Many FREE resources! Not just OWASP stuff…
Code reviews Ok, now what?! OWASP Code Review Guide • Code review takes a deeper look into your app • Things that automated scanners won’t find • You’ll see the common mistakes devs make
SDL We fixed the problems. How to stop them? • Implement a SDL process • Train your developers about app security • They don’t need to be experts, at least know how it works and how to protect their apps
Free Docs Yay! More free stuff… • OWASP ASVS – verify your security • OWASP OpenSAMM – create a security program • OWASP Developer’s Guide – tips to devs
Not yet… It’s not that simple… • If we have all that, why aren’t our apps secure? • Why even the big companies don’t follow the basic rules? Hello Linkedin!
Security Myths We know, we know… • Security costs money. Yeah, but so does development, support, operations, etc. • Security costs money. But it will save you a lot more! Why most companies still don’t see the value of security until they get hacked?
If it compiles, ship it! Like Dinis Cruz said at AppSec Latam 2011: Unless you’ve been hacked before… If it compiles, Ship it! That’s the motto in most dev companies
ISLC The real picture (Developer’s view) • They don’t like the security teams • They already work on a tight schedule • Security will increase their programming time
The ideal world How it should be… • Dev and infosec should work together • Security practices and implementations should be included in the schedule time • It will increase the apps protection and decrease the amount of bugs and work
Conclusions In a nutshell… • Security is not a plugin, it’s a process. • Test everything, every time they change. • Allocate time for security testing within your project • Never assume security controls are effective
OWASP Floripa Day Conferences 15 e 16 de Setembro https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
AppSec Brazil 2012 Conferences OWASP AppSec Brazil 2012 In November in João Pessoa!
Questions? @magnologan @owasppb
References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic - http://www.veracode.com/blog/2012/06/building-secure- web-applications-infographic/ OWASP - www.owasp.org

Empfohlen

BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersEoin Keary
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 

Empfohlen

BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersEoin Keary
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailShifting left – embedding security into the devops pipeline by Mike d. Kail
Shifting left – embedding security into the devops pipeline by Mike d. KailDevSecCon
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTechWell
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a ToolboxDevOps Indonesia
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksSatyajit Malugu
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelWhiteSource
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersFrank Victory
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTechWell
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksSatyajit Malugu
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...Freek Kauffmann
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDFranklin Mosley
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelWhiteSource
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSLostar
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of TransformationDevOps Indonesia
 

Was ist angesagt? (20)

DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Automation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackersAutomation and open source turning the tide on the attackers
Automation and open source turning the tide on the attackers
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test AutomationTop Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test Automation
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
Make Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of FrameworksMake Your UI Tests Resilient with the Next Generation of Frameworks
Make Your UI Tests Resilient with the Next Generation of Frameworks
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESSBest Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 

Ähnlich wie Just4Meeting 2012 - How to protect your web applications

_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSecDarin Morris
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsShannon Lietz
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous TestingTechWell
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDarin Morris
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information SecurityDarin Morris
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 

Ähnlich wie Just4Meeting 2012 - How to protect your web applications (20)

_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
DevOps and the Future of InfoSec
DevOps and the Future of InfoSecDevOps and the Future of InfoSec
DevOps and the Future of InfoSec
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Improve Security through Continuous Testing
Improve Security through Continuous TestingImprove Security through Continuous Testing
Improve Security through Continuous Testing
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
DevSecOps with Microsoft Tech
DevSecOps with Microsoft TechDevSecOps with Microsoft Tech
DevSecOps with Microsoft Tech
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
DevOps and the Future of Information Security
DevOps and the Future of Information SecurityDevOps and the Future of Information Security
DevOps and the Future of Information Security
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 

Mehr von Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)Magno Logan
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BRMagno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroMagno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEMagno Logan
 

Mehr von Magno Logan (20)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Just4Meeting 2012 - How to protect your web applications

  • 1. How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
  • 2. About Me Who am I? • Ex-developer • Security Analyst • Chapter Leader • Investments • Martial Arts
  • 3. Paraíba?! I’m here! • Caipirinha • Soccer • Samba • Girls We have it all!
  • 4. I live where you take vacations, sorry! =)
  • 5. Agenda • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems (maybe?)
  • 7. They are everywhere! And they have bugs everywhere! • The cost of a data breach averages $5.5 million or $194 per customer record* • Companies that take security seriously can reduce the cost per customer by up to 62% * From a 2011 study by the Ponemon Institute
  • 8. What are we doing wrong? • Secure application development is a top priority • But web applications are still the number one source of data breaches • We need to change the mindset of software development *From a 2011 Forrester Research study: Application Security: 2011 & Beyond
  • 9. What are we doing wrong? • We’re in 2012 and SQL Injection is still the biggest issue! • The first public issue dates from 1998 • SQL Injections can lead to shell access now!
  • 10.
  • 11. Why these still happens? Excuses to the problems: • Security is not important! Money is! • There is no time! • Developer’s fault! They are the scape goat of security!
  • 12. Back to the basics CIA Triad
  • 13. Now what? So, how to protect our apps?! 1. Threat Modeling 2. Security Testing 3. Code Review 4. SDL
  • 15. Threat Modeling • Structured approach to identify and measure risks • It defines the security requisites • Allows the design to address the security issues • Helps the security testing and code reviews
  • 16. Threat Modeling Process 1. Identify your assets 2. Create an architectural view 3. Decompose the software 4. Identify, document and classify the threats to your app
  • 17. (Security) Design Patterns • Use them! There a lot out there! • Don’t reinvent the wheel! • Exception Handling • Input Validation • Protected Logging
  • 18. Development Phase • Use a guide to implement your security, like the OWASP Developer’s Guide • Use unit test cases focused on security • Present security training to developers • Perform penetration testing and code reviews
  • 19. OWASP Top 10 2010 Testing, testing, testing…
  • 20. 2011 CWE/SANS Top 25 And more testing…
  • 21. So what do they do? • Protect you from common mistakes • Avoid you from getting hacked by automated tools/scanners and script kiddies By the way, if you work with AppSec and you never heard of these two docs…
  • 22. You need to find another job!
  • 23. How to apply them? Many FREE resources! Not just OWASP stuff…
  • 24. Code reviews Ok, now what?! OWASP Code Review Guide • Code review takes a deeper look into your app • Things that automated scanners won’t find • You’ll see the common mistakes devs make
  • 25. SDL We fixed the problems. How to stop them? • Implement a SDL process • Train your developers about app security • They don’t need to be experts, at least know how it works and how to protect their apps
  • 26. Free Docs Yay! More free stuff… • OWASP ASVS – verify your security • OWASP OpenSAMM – create a security program • OWASP Developer’s Guide – tips to devs
  • 27. Not yet… It’s not that simple… • If we have all that, why aren’t our apps secure? • Why even the big companies don’t follow the basic rules? Hello Linkedin!
  • 28. Security Myths We know, we know… • Security costs money. Yeah, but so does development, support, operations, etc. • Security costs money. But it will save you a lot more! Why most companies still don’t see the value of security until they get hacked?
  • 29. If it compiles, ship it! Like Dinis Cruz said at AppSec Latam 2011: Unless you’ve been hacked before… If it compiles, Ship it! That’s the motto in most dev companies
  • 30. ISLC The real picture (Developer’s view) • They don’t like the security teams • They already work on a tight schedule • Security will increase their programming time
  • 31. The ideal world How it should be… • Dev and infosec should work together • Security practices and implementations should be included in the schedule time • It will increase the apps protection and decrease the amount of bugs and work
  • 32. Conclusions In a nutshell… • Security is not a plugin, it’s a process. • Test everything, every time they change. • Allocate time for security testing within your project • Never assume security controls are effective
  • 33. OWASP Floripa Day Conferences 15 e 16 de Setembro https://www.owasp.org/index.php/OWASP_Floripa_Day_2012
  • 34. AppSec Brazil 2012 Conferences OWASP AppSec Brazil 2012 In November in João Pessoa!
  • 36. References Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 Building Secure Web Applications Infographic - http://www.veracode.com/blog/2012/06/building-secure- web-applications-infographic/ OWASP - www.owasp.org