SlideShare ist ein Scribd-Unternehmen logo

Mr. Burhan Khalid - secure dev.

N
nooralmousa
Technologie
1 von 19
Downloaden Sie, um offline zu lesen
SECURE DEV. BURHAN KHALID BURHAN.KHALID@GMAIL.COM
TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving
THANK YOU QUESTIONS @BURHAN – HTTP://SPKR8.COM/S/15462

Empfohlen

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Aaron Hnatiw
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 

Empfohlen

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
Security Innovation
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
Geoffrey Vaughan
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017Security Training: Making your weakest link the strongest - CircleCityCon 2017
Security Training: Making your weakest link the strongest - CircleCityCon 2017
Aaron Hnatiw
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
DevSecCon
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Franklin Mosley
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
OWASP
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
 
Delhi first draft
Delhi first draftDelhi first draft
Delhi first draft
vaibhav lokhande
 
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi «OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
0xdec0de
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Optimizing WordPress - State of Search 2014
Optimizing WordPress - State of Search 2014Optimizing WordPress - State of Search 2014
Optimizing WordPress - State of Search 2014
Brian LaFrance
 
Staying Ahead of the Curve
Staying Ahead of the CurveStaying Ahead of the Curve
Staying Ahead of the Curve
Trisha Gee
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Magno Logan
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
Freek Kauffmann
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
DevOps Indonesia
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
Michael Man
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
nooralmousa
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
OWASP
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
 
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi «OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
0xdec0de
 

Was ist angesagt? (20)

Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgThe Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life[OWASP Poland Day] Security in developer's life
[OWASP Poland Day] Security in developer's life
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015
 
Delhi first draft
Delhi first draftDelhi first draft
Delhi first draft
 
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi «OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
«OWASP Top 10 hands on workshop» by Stanislav Breslavskyi
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Optimizing WordPress - State of Search 2014
Optimizing WordPress - State of Search 2014Optimizing WordPress - State of Search 2014
Optimizing WordPress - State of Search 2014
 
Staying Ahead of the Curve
Staying Ahead of the CurveStaying Ahead of the Curve
Staying Ahead of the Curve
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
DevOps Security Coffee - Lazy hackers who think out of the box, but stay in t...
 
DevOps not a Toolbox
DevOps not a ToolboxDevOps not a Toolbox
DevOps not a Toolbox
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 

Andere mochten auch

Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
nooralmousa
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
nooralmousa
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
nooralmousa
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
nooralmousa
 
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
nooralmousa
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
nooralmousa
 

Andere mochten auch (7)

Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
Meraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless worldMeraj Ahmad - Information security in a borderless world
Meraj Ahmad - Information security in a borderless world
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Mr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it securityMr. Khalid Shaikh - emerging trends in managing it security
Mr. Khalid Shaikh - emerging trends in managing it security
 
Mr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovationsMr. Bulent Teksoz - Security trends and innovations
Mr. Bulent Teksoz - Security trends and innovations
 
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration TestingMr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
Mr. Vivek Ramachandran - Advanced Wi-­Fi Security Penetration Testing
 
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clientsRenaud Bido & Mohammad Shams - Hijacking web servers & clients
Renaud Bido & Mohammad Shams - Hijacking web servers & clients
 

Ähnlich wie Mr. Burhan Khalid - secure dev.

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
Coverity
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btech
IIITA
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation
Sauce Labs
 

Ähnlich wie Mr. Burhan Khalid - secure dev. (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version Control
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven Development
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deployments
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btech
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation
 
Designing Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase SecurityDesigning Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase Security
 

Mehr von nooralmousa

Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
nooralmousa
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
nooralmousa
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
nooralmousa
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
nooralmousa
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
nooralmousa
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
nooralmousa
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
nooralmousa
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
nooralmousa
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
nooralmousa
 

Mehr von nooralmousa (10)

Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
Ahmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threatAhmed Al Barrak - Staff information security practices - a latent threat
Ahmed Al Barrak - Staff information security practices - a latent threat
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Mohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environmentsMohammed Al Mulla - Best practices to secure working environments
Mohammed Al Mulla - Best practices to secure working environments
 
Pradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for cisoPradeep menon how to influence people and win top management buy0in for ciso
Pradeep menon how to influence people and win top management buy0in for ciso
 
Nabil Malik - Security performance metrics
Nabil Malik - Security performance metricsNabil Malik - Security performance metrics
Nabil Malik - Security performance metrics
 
Khaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keysKhaled al amri using fingerprints as private and public keys
Khaled al amri using fingerprints as private and public keys
 
Hisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloudHisham Dalle - Zero client computing - taking the desktop into the cloud
Hisham Dalle - Zero client computing - taking the desktop into the cloud
 
Ghassan farra it security a cio perspective
Ghassan farra it security a cio perspectiveGhassan farra it security a cio perspective
Ghassan farra it security a cio perspective
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Mr. Burhan Khalid - secure dev.

  • 2. TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
  • 3. THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
  • 4. WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
  • 5. STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
  • 6. PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
  • 7. STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
  • 8. ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
  • 9. TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
  • 10. GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
  • 11. PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
  • 12. TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
  • 13. ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
  • 14. COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
  • 15. COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
  • 16. Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
  • 17. CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
  • 18. 3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving