SlideShare ist ein Scribd-Unternehmen logo

Codebits 2014 - Secure Coding - Gamification and automation for the win

Tiago Henriques
Tiago Henriques
Technologie
1 von 76
Downloaden Sie, um offline zu lesen
Centralway Secure Coding Gamification and automation for the win Rafael Matias @skylept Tiago Henriques @balgan www.centralway.com
$wut?
Objectives of this talk - Developers ● Top 10 risks to your web applications ● What worries your security team ● How you can write secure code ● Secure your data, applications and test it ● Automate Objectives of this talk - Security ● Stimulate your developers towards Security ● Make it interesting, fun and rewarding for the developers ● Make security work in a way that fits your developers ● Automate
Objective Security Developers
$who Tiago Henriques @balgan Head of Security Centralway Rafael Matias @skylept Software Engineer Centralway
How it all started...
Problem? ● Too many areas ● Too many project ● Too much work ● 1 guy
Problem? Solutions! ● Too many areas - Automation ● Too many project - Consistency ● Too much work - Focus. ● 1 guy - Recruiting.
Problem? Solutions! “You cannot defend everything, take a step back, calm down and really FOCUS on your work” Nicolas Ruflin - CTO Centralway, 2013.
Too many areas - automation Application Security Developer Education Integration of security into SDLC Code Reviews Testing Deployment Design Regular testing Incident Handling
Too many areas - automation Application Security Developer Education Integration of security into SDLC Code Reviews Testing Deployment Design Incident Handling Partial Automation Partial Automation Full Automation Guidelines Assistance Manual Manual
Today we focus on... Application Security Developer Education Integration of security into SDLC Code Reviews Testing Partial Automation Partial Automation Manual
SDLC How does Security fit the SDLC? Excellent talk by Jeff Williams (@planetlevel) on where security comes in the SDLC got me thinking about this.
SDLC AppSec at DevOps Speed and Portfolio Scale - Jeff Williams http://youtu.be/cIvOth0fxmI
SDLC - v1 This looks quite nice, there is a lot in there we don’t need at the moment though. Let me create my own version that can adapt to our needs
SDLC - V1
SDLC - V1 Hey Mr Developer, here is a cool new diagram I made on how Security can fit our Software development life cycle! Check it out!
SDLC - V1 What the hell is this crap? This is absolutely focused on waterfall which is nowhere near what we use. Dude. Seriously. What the hell. We use agile… blablablabla *ARGHHHHH*
SDLC - V1 I can give u some explanation on how Agile works and how we work! fineeeeee...
SDLC - V1 Blablabla… iterations...blablabla… inception...blablabla construction… blabla continuous deployment… blablablablabla 3 hours later
SDLC - V1 Cool dude, thanks! Time to go back to the whiteboard.
SDLC - v1 This looks quite nice, there is a lot in there we don’t need at the moment though. Let me create my own version that can adapt to our needs Mistakes: 1. Assumed I knew what we needed 2. Didn’t consult the developers
SDLC - V2
SDLC - V2 Manual: ● Application catalog - Creation and maintenance of an application assets DB (application name; project team; technology; third party extensions; etc.) ● Risk analysis - Assess and rank how applications add risk ● Data analysis - Value of data ● Threat analysis - possible enemies and threats to product ● Write down possible compliance issues ● Check technologies and identify specific security measures, techniques and technologies that will apply to that project. ● Create technology-specific best-practice secure development guidance ● Cross project architecture against checklist of secure architecture principles. ● Identify the entry points (attack surface/defense perimeter) in software designs ● Analyze software designs against the known security risks ● Write which data will need to be logged from this project
SDLC - V2 Manual: ● Actively discuss and help developers with questions they might have ● Find solutions for problems we might encounter ● Create a log of all these issues so that in the future similar situations happen there is a record of solutions found and that we can easily adapt to other projects - (example: Developer found Project XYZ didnt have SSL, SecurityDude sat down with him and discussed how to do SSL on IOS and use SSL pinning)
SDLC - V2 Dynamic: ● Developer submits his code by himself to Source radar and does self check for warnings. ● Source radar should log (this will give an overview to the security team about the evolution of a project and the quality of the developers): ● Amount of reviews developer X did on project Y ● Amount of errors or warnings found on code by developer X on project Y ● Types of errors found on code by developer X on project Y ● Use tools similar to O2 - automatic code fix - automatic code warn integrated into IDE ● Security team does source code review using source radar and specific tools for technology in case they exist (example: Brakeman for Ruby) ● At the end compare his results with results found by developers from Sourceradar ● If previous analysis have been done compare current review with previous and do an analysis for changes. (More bugs of type X, less bugs of type Y, more bugs in entire project)
SDLC - V2 Interactive: ● Security team will try to break project by simply interacting and using it. No use of security tools allowed on this phase. ● Log bugs with as much detail as possible in a spreadsheet and pass them over to developers ● Create an entry, mark them as non-fixed, write date of vulnerability found ● Retest on next iteration - if fixed mark it on spreadsheet and write date of vulnerability fixed
SDLC - V2 Deploy - Staging Manual: ● Test application manually - using security tools such as BURP Proxy and others. ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
SDLC - V2 Deploy - Staging Dynamic: ● Automated application test - run some automated tools such as: Acunetix, websecurify scanner, BURP Scanner, nikto against application ● Save reports on project folder ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
SDLC - V2 Deploy - Staging Static: ● Using static analysis tools debug and test the application ● Save reports on project folder ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
SDLC - V2 Deploy - Production Manual: ● Go through all data about the project ● Make sure no critical vulnerabilities are being passed to production ● Guarantee all retest has been done ● Using checklist on Source radar guarantee everything has been checked and passed ● Pair code review of critical code only ● Guarantee all important information is being saved to logs ● Verify logging is working against complex manual attacks ● Verify warnings are working against complex manual attacks ● If it is a critical application or one that contains important data - create a audit environment (copy of production) ● Book external audit and have them do testing on that environment. ● When results arrive get them fixed ASAP
SDLC - V2 Deploy - Production Static: ● Verify and re-test all critical static issues found Dynamic: ● Verify and re-test all critical dynamic issues found ● Verify logging is working against automated tool attacks ● Verify warnings are working against automated tool attacks Interactive: ● Write a set of edge cases for the application and interactively test them
SDLC - V2 Post Production Deployment Manual: ● Monitor project and attend to warnings and alerts ● Create bug bounty for project if its public facing ● Verify the existence of new exploits in case new vulnerabilities show up for technologies used - if it exists get them fixed ASAP.
SDLC - V2 Post Production Deployment Static: ● Have auto-throttling on possible DoS functions working correctly (create account, login bruteforce etc...) Dynamic: ● Have automated tools ran against these projects at least once a week to see if they are able to identify anything new and simple Interactive: ● Make normal use of all functionality of the app to detect possible problems.
SDLC - V2 Follow these steps for each version of your application / software
Technology Ecosystem
Checklists - Developers ● Checklists for both Security team and Developers. ● Best way to make sure you don’t forget anything ● Makes your security team life easier ● Faster to fix things ● Technology catalog list - make a list of the technologies you use, hand them over to your security team and have them create checklists for you to follow.
Checklists - Security ● Checklists for both Security team and Developers. ● Best way to make sure you don’t forget anything ● Makes your life easier as your developers can follow the checklists and you don’t need to worry about the basics!
Principles of Secure Development ● Created by David Rook ● Allows you to understand easily the basic principles of writing secure code ● Based on the KISS (Keep It Short and Simple) principle Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 1 and 2 - Input and Output Validation ● Injection attacks ● Cross Site Scripting ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Content Spoofing ● Unrestricted Upload of File with Dangerous Type ● Failure to Preserve SQL Query Structure, Web Page Structure, OS Command Structure ● URL Redirection to Untrusted Site ● Buffer Copy without Checking Size on Input ● Improper Limitation of a Pathname to a Restricted Directory ● Improper Control of Filename for Include or Require Statement in PHP Program ● Buffer Access with Incorrect Length Value ● Improper Validation of Array Index ● Integer Overflow or Wraparound ● Incorrect Calculation of Buffer Size. Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 3 - Error Handling ● Information Leakage ● Information Exposure Through an Error Message ● Improper Check for Unusual or Exceptional Conditions Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 4 - Authentication ● Broken Authentication and Session Management ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Insufficient Authorisation ● Insufficient Authentication ● Abuse of Functionality ● Use of Hard-coded Credentials ● Incorrect Permission Assignment for Critical Resource ● Reliance on Untrusted Inputs in a Security Decision ● Missing Authentication for Critical Function ● Improper Access Control Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 4 - Authorization ● Authorisation ● Insufficient Authentication ● Abuse of Functionality ● Use of Hard-coded Credentials ● Incorrect Permission Assignment for Critical Resource ● Reliance on Untrusted Inputs in a Security Decision ● Missing Authentication for Critical Function ● Improper Access Control Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 5 - Session Management ● Broken Authentication and Session Management ● Cross Site Request Forgery Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 6 - Secure Communications ● Insufficient Transport Layer Protection ● Use of a Broken or Risky Cryptographic Algorithm ● Missing Encryption of Sensitive Data Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 7 - Secure Resource Access ● Insecure Direct Object Reference ● Failure to Restrict URL Access ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Predictable Resource Location ● Improper Limitation of a Pathname to a Restricted Directory ● Improper Control of Filename for Include/Require Statement in PHP Program ● Allocation of Resource Without Limits or Throttling Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Principle 8 - Secure Storage ● Insecure Cryptographic Storage ● Use of a Broken or Risky Cryptographic Algorithm ● Missing Encryption of Sensitive Data Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
Automation - Open Source and Free tools ● Agnitio ● Brakeman ● OWASP Zap ● Codesake Dawn ● Gauntlet ● Source Radar
Agnitio ● Developed by David Rook ● Source Code analysis ● Rule based ● Windows only ● Open Source
Brakeman ● Only for Ruby on Rails ● http://brakemanscanner.org/ ● Easily integrated into Jenkins and other CI software so that you get automated reports each time a new build is done ● Open Source ● Awesome Dev team
OWASP Zap ● Proxy used to intercept request and has a built in vulnerability scanner for web applications. ● Really good scripting engine (Python) ● Grab all your developers tests and run using Zap as a proxy with active scanner mode on. ● Will detect basic stuff like XSS and some really 1-0-1 SQLi for free. (in case you can’t afford hiring a security member or just want a really basic automated check)
Codesake Dawn ● Codesake::Dawn is a gem providing a security source code analyzer for web applications written in ruby ● When you run Codesake::Dawn on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, ...). ● Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. ● There checks designed to match rails application or checks that are applicable to any ruby code. ● https://github.com/codesake/codesake-dawn
Gauntlet ● An always attacking environment for Developers ● Easy syntax to write attack use cases ● Can use lots of tools as you can invoke direct command line commands @slow @announce Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://localhost:9292/sql-injection? number_id=1 | When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite -- batch -v 0 --tables """ Then the output should contain: """ sqlmap identified the following injection points """ And the output should contain: """ [2 tables] +-----------------+ | passwords | | sqlite_sequence | +-----------------+ """
Source Radar
Source Radar ● Alpha ● Very Alpha ● More a proof of concept than anything else ● Rule based ● Can take any language - for the languages it has a parser it will generate an AST and then do the analysis if not it will go with pure text parsing ● Can be used by developers and Security teams ● Dream team generator ● Reward based - Gamification
Source Radar - Example ● CVE-2011-0446 ● Potential XSS Problem with mail_to :encode => :javascript ● All that you need to do on source radar is create a rule and it will go through all projects and automatically look for projects that use this function
Source Radar - Rewards ● Gamification ● Badges
Gamification
Gamification
Gamification ● People like games ● Devs do hard work ● And on top of that we want them to do Security ● why not at least try to make it fun and rewarding for them ?
Gamification - In security - Objectives ● Make devs want to do security ● Make them want to do it often ● Reward them correctly ● Because they do it more often we get more data (helps security team, more on this in a little)
Source Radar - DEMO
Data - Metrics - KPIs ● If you notice Sourceradar has some extra fields on the vulnerability fields ● On top of that it isn’t just an open web application it has a user management system associated with it ● Why?
Data - Metrics - KPIs ● Measuring Security. ● Does security do anything? ● How Secure are we? ● How secure were we yesterday? ● Have we been improving?
Vulnerability classification
Vulnerability classification
Data - Metrics - KPIs ● Weighted Risk Trend (WRT) ● Defect Remediation Window (DRW) ● Rate of defect recurrence (RDR) ● Security to Quality defect Ratio (SQR)
Data - Metrics - KPIs
Developer training Hey Boss, I need the team of developers from project X for 2 days for the application security training.
Developer training HAHA! Nop. That would stop the project for too long. U get 1 hour with each developer
Developer training ● Tailored training - if developer X has only been having problems related to a Specific category like Cryptography why am I gonna make him listen to me ramble about user inputs and output filtering again? ● Teach each developer only what he needs = faster security training. ● Metrics - Developer improvement over-time - pre training vs after
Kudos ● Centralway ● SAPO ● David Rook
THANK YOU www.centralway.com/careers
References ● https://www.owasp.org/images/7/77/Magic_Numbers_- _5_KPIs_for_Measuring_WebAppSec_Program_Success_v3. 2.pdf ● www.securityninja.co.uk ● http://owasp.blogspot.co.uk ● http://vimeo.com/appsecusa

Empfohlen

Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
RIF-Technology
 

Empfohlen

Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 
How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot Environments
DevOps.com
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
Антон Семенченко | (EPAM Systems, DPI.Solutions )Сравнительный анализ инстру...
RIF-Technology
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015
Carlo Bonamico
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja Chundru
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Code Review
Code ReviewCode Review
Code Review
rantav
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Solving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingSolving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous Testing
Perfecto by Perforce
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Clean Code: Successive Refinement
Clean Code: Successive RefinementClean Code: Successive Refinement
Clean Code: Successive Refinement
Ali A Jalil
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
Takanori Suzuki
 
Chapter17 of clean code
Chapter17 of clean codeChapter17 of clean code
Chapter17 of clean code
Kuyseng Chhoeun
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
PVS-Studio
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
QA or the Highway
 
Software Engineering Culture - Improve Code Quality
Software Engineering Culture - Improve Code QualitySoftware Engineering Culture - Improve Code Quality
Software Engineering Culture - Improve Code Quality
Dmytro Patserkovskyi
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
David Jorm
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
Dr. Syed Hassan Amin
 
mohansundarcv_2016
mohansundarcv_2016mohansundarcv_2016
mohansundarcv_2016
mohan sundar
 
Improving your CFML code quality
Improving your CFML code qualityImproving your CFML code quality
Improving your CFML code quality
Kai Koenig
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
QASymphony
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
Trần Bình Hậu
 
Workshop
WorkshopWorkshop
Workshop
Tiago Henriques
 

Weitere ähnliche Inhalte

Was ist angesagt?

Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja Chundru
 
Code Review
Code ReviewCode Review
Code Review
rantav
 
Solving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingSolving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous Testing
Perfecto by Perforce
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
Takanori Suzuki
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
QA or the Highway
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
David Jorm
 
mohansundarcv_2016
mohansundarcv_2016mohansundarcv_2016
mohansundarcv_2016
mohan sundar
 
Improving your CFML code quality
Improving your CFML code qualityImproving your CFML code quality
Improving your CFML code quality
Kai Koenig
 

Was ist angesagt? (20)

Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Code Review
Code ReviewCode Review
Code Review
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Solving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous TestingSolving the 3 Biggest Questions in Continuous Testing
Solving the 3 Biggest Questions in Continuous Testing
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Clean Code: Successive Refinement
Clean Code: Successive RefinementClean Code: Successive Refinement
Clean Code: Successive Refinement
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
 
Chapter17 of clean code
Chapter17 of clean codeChapter17 of clean code
Chapter17 of clean code
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
 
Matt Eakin - The New Tester Skillset
Matt Eakin - The New Tester SkillsetMatt Eakin - The New Tester Skillset
Matt Eakin - The New Tester Skillset
 
Software Engineering Culture - Improve Code Quality
Software Engineering Culture - Improve Code QualitySoftware Engineering Culture - Improve Code Quality
Software Engineering Culture - Improve Code Quality
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
 
mohansundarcv_2016
mohansundarcv_2016mohansundarcv_2016
mohansundarcv_2016
 
Improving your CFML code quality
Improving your CFML code qualityImproving your CFML code quality
Improving your CFML code quality
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
 

Andere mochten auch

Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
Tiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
Tiago Henriques
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
bryns
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
Tiago Henriques
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 

Andere mochten auch (20)

Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Workshop
WorkshopWorkshop
Workshop
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
Enei
EneiEnei
Enei
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
null Bachaav Session | Secure Coding in Java
null Bachaav Session | Secure Coding in Javanull Bachaav Session | Secure Coding in Java
null Bachaav Session | Secure Coding in Java
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Programming in c#
Programming in c#Programming in c#
Programming in c#
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 

Ähnlich wie Codebits 2014 - Secure Coding - Gamification and automation for the win

Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 

Ähnlich wie Codebits 2014 - Secure Coding - Gamification and automation for the win (20)

Software Development : Jeremy Gleason Iscope Digital
Software Development : Jeremy Gleason Iscope DigitalSoftware Development : Jeremy Gleason Iscope Digital
Software Development : Jeremy Gleason Iscope Digital
 
agile with scrum methodology
agile with scrum methodology agile with scrum methodology
agile with scrum methodology
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
How to keep modules up to date
How to keep modules up to dateHow to keep modules up to date
How to keep modules up to date
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Integracia security do ci cd pipelines
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelines
 
BlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo TalkBlackHat 2014 OWASP ZAP Turbo Talk
BlackHat 2014 OWASP ZAP Turbo Talk
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Sainath_Resume
Sainath_ResumeSainath_Resume
Sainath_Resume
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Year Zero
Year ZeroYear Zero
Year Zero
 

Mehr von Tiago Henriques

Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Tiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
Tiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
Tiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 

Mehr von Tiago Henriques (12)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Booklet
BookletBooklet
Booklet
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshare
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Codebits 2014 - Secure Coding - Gamification and automation for the win

  • 1. Centralway Secure Coding Gamification and automation for the win Rafael Matias @skylept Tiago Henriques @balgan www.centralway.com
  • 3. Objectives of this talk - Developers ● Top 10 risks to your web applications ● What worries your security team ● How you can write secure code ● Secure your data, applications and test it ● Automate Objectives of this talk - Security ● Stimulate your developers towards Security ● Make it interesting, fun and rewarding for the developers ● Make security work in a way that fits your developers ● Automate
  • 5. $who Tiago Henriques @balgan Head of Security Centralway Rafael Matias @skylept Software Engineer Centralway
  • 6. How it all started...
  • 7.
  • 8.
  • 9. Problem? ● Too many areas ● Too many project ● Too much work ● 1 guy
  • 10. Problem? Solutions! ● Too many areas - Automation ● Too many project - Consistency ● Too much work - Focus. ● 1 guy - Recruiting.
  • 11. Problem? Solutions! “You cannot defend everything, take a step back, calm down and really FOCUS on your work” Nicolas Ruflin - CTO Centralway, 2013.
  • 12. Too many areas - automation Application Security Developer Education Integration of security into SDLC Code Reviews Testing Deployment Design Regular testing Incident Handling
  • 13. Too many areas - automation Application Security Developer Education Integration of security into SDLC Code Reviews Testing Deployment Design Incident Handling Partial Automation Partial Automation Full Automation Guidelines Assistance Manual Manual
  • 14. Today we focus on... Application Security Developer Education Integration of security into SDLC Code Reviews Testing Partial Automation Partial Automation Manual
  • 15. SDLC How does Security fit the SDLC? Excellent talk by Jeff Williams (@planetlevel) on where security comes in the SDLC got me thinking about this.
  • 16. SDLC AppSec at DevOps Speed and Portfolio Scale - Jeff Williams http://youtu.be/cIvOth0fxmI
  • 17. SDLC - v1 This looks quite nice, there is a lot in there we don’t need at the moment though. Let me create my own version that can adapt to our needs
  • 19. SDLC - V1 Hey Mr Developer, here is a cool new diagram I made on how Security can fit our Software development life cycle! Check it out!
  • 20. SDLC - V1 What the hell is this crap? This is absolutely focused on waterfall which is nowhere near what we use. Dude. Seriously. What the hell. We use agile… blablablabla *ARGHHHHH*
  • 21. SDLC - V1 I can give u some explanation on how Agile works and how we work! fineeeeee...
  • 22. SDLC - V1 Blablabla… iterations...blablabla… inception...blablabla construction… blabla continuous deployment… blablablablabla 3 hours later
  • 23. SDLC - V1 Cool dude, thanks! Time to go back to the whiteboard.
  • 24. SDLC - v1 This looks quite nice, there is a lot in there we don’t need at the moment though. Let me create my own version that can adapt to our needs Mistakes: 1. Assumed I knew what we needed 2. Didn’t consult the developers
  • 26. SDLC - V2 Manual: ● Application catalog - Creation and maintenance of an application assets DB (application name; project team; technology; third party extensions; etc.) ● Risk analysis - Assess and rank how applications add risk ● Data analysis - Value of data ● Threat analysis - possible enemies and threats to product ● Write down possible compliance issues ● Check technologies and identify specific security measures, techniques and technologies that will apply to that project. ● Create technology-specific best-practice secure development guidance ● Cross project architecture against checklist of secure architecture principles. ● Identify the entry points (attack surface/defense perimeter) in software designs ● Analyze software designs against the known security risks ● Write which data will need to be logged from this project
  • 27. SDLC - V2 Manual: ● Actively discuss and help developers with questions they might have ● Find solutions for problems we might encounter ● Create a log of all these issues so that in the future similar situations happen there is a record of solutions found and that we can easily adapt to other projects - (example: Developer found Project XYZ didnt have SSL, SecurityDude sat down with him and discussed how to do SSL on IOS and use SSL pinning)
  • 28. SDLC - V2 Dynamic: ● Developer submits his code by himself to Source radar and does self check for warnings. ● Source radar should log (this will give an overview to the security team about the evolution of a project and the quality of the developers): ● Amount of reviews developer X did on project Y ● Amount of errors or warnings found on code by developer X on project Y ● Types of errors found on code by developer X on project Y ● Use tools similar to O2 - automatic code fix - automatic code warn integrated into IDE ● Security team does source code review using source radar and specific tools for technology in case they exist (example: Brakeman for Ruby) ● At the end compare his results with results found by developers from Sourceradar ● If previous analysis have been done compare current review with previous and do an analysis for changes. (More bugs of type X, less bugs of type Y, more bugs in entire project)
  • 29. SDLC - V2 Interactive: ● Security team will try to break project by simply interacting and using it. No use of security tools allowed on this phase. ● Log bugs with as much detail as possible in a spreadsheet and pass them over to developers ● Create an entry, mark them as non-fixed, write date of vulnerability found ● Retest on next iteration - if fixed mark it on spreadsheet and write date of vulnerability fixed
  • 30. SDLC - V2 Deploy - Staging Manual: ● Test application manually - using security tools such as BURP Proxy and others. ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
  • 31. SDLC - V2 Deploy - Staging Dynamic: ● Automated application test - run some automated tools such as: Acunetix, websecurify scanner, BURP Scanner, nikto against application ● Save reports on project folder ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
  • 32. SDLC - V2 Deploy - Staging Static: ● Using static analysis tools debug and test the application ● Save reports on project folder ● When vulnerability is found create a ticket for project without and assign it to head of project who will then assign it to the correct developer ● Write down on a log this vulnerability with the following: id, title, type, HTTP request / network request (if needed), screenshots of abuse, notes, date found, name of person who found issue ● Mark it for retest ● On next iteration retest, if fixed write down on log its fixed and date it was confirmed as fixed and who retested. if it's not fixed re-open ticket and write comment explaining.
  • 33. SDLC - V2 Deploy - Production Manual: ● Go through all data about the project ● Make sure no critical vulnerabilities are being passed to production ● Guarantee all retest has been done ● Using checklist on Source radar guarantee everything has been checked and passed ● Pair code review of critical code only ● Guarantee all important information is being saved to logs ● Verify logging is working against complex manual attacks ● Verify warnings are working against complex manual attacks ● If it is a critical application or one that contains important data - create a audit environment (copy of production) ● Book external audit and have them do testing on that environment. ● When results arrive get them fixed ASAP
  • 34. SDLC - V2 Deploy - Production Static: ● Verify and re-test all critical static issues found Dynamic: ● Verify and re-test all critical dynamic issues found ● Verify logging is working against automated tool attacks ● Verify warnings are working against automated tool attacks Interactive: ● Write a set of edge cases for the application and interactively test them
  • 35. SDLC - V2 Post Production Deployment Manual: ● Monitor project and attend to warnings and alerts ● Create bug bounty for project if its public facing ● Verify the existence of new exploits in case new vulnerabilities show up for technologies used - if it exists get them fixed ASAP.
  • 36. SDLC - V2 Post Production Deployment Static: ● Have auto-throttling on possible DoS functions working correctly (create account, login bruteforce etc...) Dynamic: ● Have automated tools ran against these projects at least once a week to see if they are able to identify anything new and simple Interactive: ● Make normal use of all functionality of the app to detect possible problems.
  • 37. SDLC - V2 Follow these steps for each version of your application / software
  • 39. Checklists - Developers ● Checklists for both Security team and Developers. ● Best way to make sure you don’t forget anything ● Makes your security team life easier ● Faster to fix things ● Technology catalog list - make a list of the technologies you use, hand them over to your security team and have them create checklists for you to follow.
  • 40. Checklists - Security ● Checklists for both Security team and Developers. ● Best way to make sure you don’t forget anything ● Makes your life easier as your developers can follow the checklists and you don’t need to worry about the basics!
  • 41. Principles of Secure Development ● Created by David Rook ● Allows you to understand easily the basic principles of writing secure code ● Based on the KISS (Keep It Short and Simple) principle Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 42. Principle 1 and 2 - Input and Output Validation ● Injection attacks ● Cross Site Scripting ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Content Spoofing ● Unrestricted Upload of File with Dangerous Type ● Failure to Preserve SQL Query Structure, Web Page Structure, OS Command Structure ● URL Redirection to Untrusted Site ● Buffer Copy without Checking Size on Input ● Improper Limitation of a Pathname to a Restricted Directory ● Improper Control of Filename for Include or Require Statement in PHP Program ● Buffer Access with Incorrect Length Value ● Improper Validation of Array Index ● Integer Overflow or Wraparound ● Incorrect Calculation of Buffer Size. Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 43. Principle 3 - Error Handling ● Information Leakage ● Information Exposure Through an Error Message ● Improper Check for Unusual or Exceptional Conditions Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 44. Principle 4 - Authentication ● Broken Authentication and Session Management ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Insufficient Authorisation ● Insufficient Authentication ● Abuse of Functionality ● Use of Hard-coded Credentials ● Incorrect Permission Assignment for Critical Resource ● Reliance on Untrusted Inputs in a Security Decision ● Missing Authentication for Critical Function ● Improper Access Control Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 45. Principle 4 - Authorization ● Authorisation ● Insufficient Authentication ● Abuse of Functionality ● Use of Hard-coded Credentials ● Incorrect Permission Assignment for Critical Resource ● Reliance on Untrusted Inputs in a Security Decision ● Missing Authentication for Critical Function ● Improper Access Control Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 46. Principle 5 - Session Management ● Broken Authentication and Session Management ● Cross Site Request Forgery Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 47. Principle 6 - Secure Communications ● Insufficient Transport Layer Protection ● Use of a Broken or Risky Cryptographic Algorithm ● Missing Encryption of Sensitive Data Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 48. Principle 7 - Secure Resource Access ● Insecure Direct Object Reference ● Failure to Restrict URL Access ● Security Misconfiguration ● Unvalidated Redirects and Forwards ● Predictable Resource Location ● Improper Limitation of a Pathname to a Restricted Directory ● Improper Control of Filename for Include/Require Statement in PHP Program ● Allocation of Resource Without Limits or Throttling Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 49. Principle 8 - Secure Storage ● Insecure Cryptographic Storage ● Use of a Broken or Risky Cryptographic Algorithm ● Missing Encryption of Sensitive Data Input Validation Output Validation Error Handling Authentication and Authorization Session Management Secure Communications Secure Resource Access Secure Storage
  • 50. Automation - Open Source and Free tools ● Agnitio ● Brakeman ● OWASP Zap ● Codesake Dawn ● Gauntlet ● Source Radar
  • 51. Agnitio ● Developed by David Rook ● Source Code analysis ● Rule based ● Windows only ● Open Source
  • 52. Brakeman ● Only for Ruby on Rails ● http://brakemanscanner.org/ ● Easily integrated into Jenkins and other CI software so that you get automated reports each time a new build is done ● Open Source ● Awesome Dev team
  • 53. OWASP Zap ● Proxy used to intercept request and has a built in vulnerability scanner for web applications. ● Really good scripting engine (Python) ● Grab all your developers tests and run using Zap as a proxy with active scanner mode on. ● Will detect basic stuff like XSS and some really 1-0-1 SQLi for free. (in case you can’t afford hiring a security member or just want a really basic automated check)
  • 54. Codesake Dawn ● Codesake::Dawn is a gem providing a security source code analyzer for web applications written in ruby ● When you run Codesake::Dawn on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, ...). ● Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. ● There checks designed to match rails application or checks that are applicable to any ruby code. ● https://github.com/codesake/codesake-dawn
  • 55. Gauntlet ● An always attacking environment for Developers ● Easy syntax to write attack use cases ● Can use lots of tools as you can invoke direct command line commands @slow @announce Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://localhost:9292/sql-injection? number_id=1 | When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite -- batch -v 0 --tables """ Then the output should contain: """ sqlmap identified the following injection points """ And the output should contain: """ [2 tables] +-----------------+ | passwords | | sqlite_sequence | +-----------------+ """
  • 57. Source Radar ● Alpha ● Very Alpha ● More a proof of concept than anything else ● Rule based ● Can take any language - for the languages it has a parser it will generate an AST and then do the analysis if not it will go with pure text parsing ● Can be used by developers and Security teams ● Dream team generator ● Reward based - Gamification
  • 58. Source Radar - Example ● CVE-2011-0446 ● Potential XSS Problem with mail_to :encode => :javascript ● All that you need to do on source radar is create a rule and it will go through all projects and automatically look for projects that use this function
  • 59. Source Radar - Rewards ● Gamification ● Badges
  • 62. Gamification ● People like games ● Devs do hard work ● And on top of that we want them to do Security ● why not at least try to make it fun and rewarding for them ?
  • 63. Gamification - In security - Objectives ● Make devs want to do security ● Make them want to do it often ● Reward them correctly ● Because they do it more often we get more data (helps security team, more on this in a little)
  • 65. Data - Metrics - KPIs ● If you notice Sourceradar has some extra fields on the vulnerability fields ● On top of that it isn’t just an open web application it has a user management system associated with it ● Why?
  • 66. Data - Metrics - KPIs ● Measuring Security. ● Does security do anything? ● How Secure are we? ● How secure were we yesterday? ● Have we been improving?
  • 69. Data - Metrics - KPIs ● Weighted Risk Trend (WRT) ● Defect Remediation Window (DRW) ● Rate of defect recurrence (RDR) ● Security to Quality defect Ratio (SQR)
  • 70. Data - Metrics - KPIs
  • 71. Developer training Hey Boss, I need the team of developers from project X for 2 days for the application security training.
  • 72. Developer training HAHA! Nop. That would stop the project for too long. U get 1 hour with each developer
  • 73. Developer training ● Tailored training - if developer X has only been having problems related to a Specific category like Cryptography why am I gonna make him listen to me ramble about user inputs and output filtering again? ● Teach each developer only what he needs = faster security training. ● Metrics - Developer improvement over-time - pre training vs after