This is a talk that I presented at a local .NET user group. The goal of this talk is to present some tools that developers/architects can use as they describe/design/build/release applications
7. Why is security so hard?
Developers have context, but
focused on code/features/etc Requirements do not include all
security considerations for a project
1 2 3
Inadequate training for key resources
4
Failure to consider threat landscape
across the entire application lifecycle
10. Recon in the Web World
WHOIS Lookups / DNS
Website Searches
Spider / Crawlers
Specialized Search Engines
HTTP Responses
Robots.txt
Port Scanning / Web Scanning
32. Tool #4: SABSA Attributes
Name Description
Risk Metric
Measure
Approach
Primary threshold
Secondary
Threshold
Conceptual abstraction
Modeled into a normalized
language
Must define measurement approach
Must define measured metric
Use as baseline for reporting/SLA
33. SABSA Attribute Example
Name Accurate
Description The information provided to users should be accurate within a range
that has been pre-agreed as being applicable to the service being
delivered
Risk Moderate
Metric % of time data is up to date
Approach Data for canned queries is monitored using the time generated field
to understand how recent the data is. Automated process,
compliance dashboard
Primary
Threshold
30% of customers are seeing non-realtime data
Secondary
Threshold
50% of customers are seeing non-realtime data
37. ASVS Domains
Architecture,
design, and
threat modeling
Authentication
Session
Management
Access Control
Malicious input
handling
Cryptography at
rest
Error handling
and logging
Data protection
Communications
HTTP Security
Configurations
Malicious
controls
Business logic
File and
resources
Mobile Web Services Configuration
43. Tool #6: OWASP AppSensor
….defines a conceptual framework
and methodology that offers
prescriptive guidance to implement
intrusion detection and automated
response into applications.