This document discusses security best practices for software developers. It covers topics like the secure software development lifecycle (SDLC), threat modeling, static code analysis, and resources for developers. The SDLC framework defines the process for building applications from start to finish. Threat modeling involves analyzing potential threats and vulnerabilities. Static code analysis tools can find security issues. Resources recommended include OWASP documentation and Microsoft's security engineering practices. The goal is to integrate security practices into development like training, requirements, testing, and incident response.

1. SECURITY FOR DEVELOPERS
@shawkyz1
@shawkyz

2. • Secure Software Development Life Cycle
• Design Issues.
• Threat Modeling.
• Static Code Analysis.
• Fuzzing.
• Resources.
AGENDA

3. SDLC (SOFTWARE DEVELOPMENT LIFECYCLE)
• A Software Development Life Cycle (SDLC) is a framework that defines the process
used by organizations to build an application from its inception to its
decommission. Over the years, multiple standard SDLC models have been proposed
(Waterfall, Iterative, Agile, etc.) and used in various ways to fit individual
circumstances.

4. • Planning and requirements.
• Architecture and design.
• Test planning.
• Coding.
• Testing and results.
• Release and maintenance.
SDLC PHASES

5. SECURE YOUR SDLC ACCORDING TO
MICROSOFT
• Provide Training.
• Define Security Requirements.
• Perform Threat Modeling.
• Define and Use Cryptography Standards.
• Follow Best Practices.
• Perform Static Analysis.
• Perform Dynamic Analysis.
• Regularly Pentest.
• Establish Incident Response Mechanism.
Source: https://www.microsoft.com/en-us/securityengineering/sdl/practices

6. EX: LOGIN PROCESS

7. EX: LOGIN PROCESS

8. EX: LOGIN PROCESS FLOW SSO

9. THREAT MODELING

10. THREAT MODELING

11. THREAT MODELING

12. EXAMPLE OF UNSAFE MANAGED
CODE
• unsafe static void Main()
• {
• fixed (char* value = "safe")
• {
• char* ptr = value;
• while (*ptr != '0')
• {
• Console.WriteLine(*ptr);
• ++ptr;
• }
• }
• }

13. ATTACK SURFACE REDUCTION
• Part of the process of reducing the attack surface is taking down APIs or functionalities that are no longer neeeded by
following the LEAN engineering principle.
• Threat modelling can also help with scaling-down the attack surface.
• Unnecessary logic complexity can lead to security problems in the future.
• Automated Tests (Static and/or dynamic analysis).
• Pentesting your application.

14. STATIC ANALYSIS TOOLS
• https://owasp.org/www-community/Source_Code_Analysis_Tools

15. BROWSER SECURITY FEATURES
• HTTP Strict Transport Security (HSTS)
• Public Key Pinning Extension for HTTP (HPKP)
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Content-Security-Policy
• X-Permitted-Cross-Domain-Policies
• Referrer-Policy
• Expect-CT
• Feature-Policy
• Cookies attributes (Secure, Samesite).

16. OWASP TOP 10

17. RESOURCES?
• Troy Hunt‘s OWASP Top 10 for .NET developers
• https://files.troyhunt.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf
• OWASP TOP 10 2017
• https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
• Security Engineering Practices
• https://www.microsoft.com/en-us/securityengineering/sdl/practices

18. HOW TO APPLY BEST PRACTICES
• Always check OWASP‘s Best practices for a certain vulnerability.
• Look for OWASP‘s Library/Framework Recommendations.
• Don‘t trust any default configs. Always double check it.
• Never trust user‘s input.
• Apply ACLs.

19. HOW DO I KNOW ABOUT NEW 0DAYS?
• Check if your local CERT if they offer a newsletter.
• Subscribe to MITRE newsletter https://cve.mitre.org/news/newsletter.html
• Regrularly Update Libraries/Frameworks you‘re using.

20. FOLLOW ME?
@shawkyz1
@shawkyz
@shawkyz1
https://shawkyz.info abdelrhmanshawky4@gmail.com