SlideShare a Scribd company logo

Secured Development

Burhan Khalid
Burhan Khalid

Burhan Khalid presented on secure software development practices. He discussed the three Ps of security - People, Process, and Persistence/Practice. He emphasized that security is not just about products but also development practices. Standards for secure development include SSE-CMM, TSP-Secure, and SAMM. Practical best practices include standardizing infrastructure, isolating development environments, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures code security.

Technology
1 of 19
Download to read offline
SECURE DEV. BURHAN KHALID BURHAN.KHALID@GMAIL.COM
TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving
THANK YOU QUESTIONS @BURHAN – HTTP://SPKR8.COM/S/15462

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 

Recommended

Build social apps for Facebook
Build social apps for FacebookBuild social apps for Facebook
Build social apps for FacebookMohammad Emran Hasan
 
Web Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaWeb Application Development Process presented by @Cygnismedia
Web Application Development Process presented by @CygnismediaClark Davidson
 
Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09Google Chrome Extensions - DevFest09
Google Chrome Extensions - DevFest09mihaiionescu
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
Chrome Apps & Extensions
Chrome Apps & ExtensionsChrome Apps & Extensions
Chrome Apps & ExtensionsVarun Raj
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Tech Stack Ideas
Tech Stack IdeasTech Stack Ideas
Tech Stack Ideasnsclark
 
Developing WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersDeveloping WordPress Plugins : For Begineers
Developing WordPress Plugins : For BegineersM A Hossain Tonu
 
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)Matthew J. Bailey , MCT
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!M A Hossain Tonu
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 

More Related Content

What's hot

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Septian Tama
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar litbbsr
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressDanilo Ercoli
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extensionchaykaborya
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesDanilo Ercoli
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1Adrian Mikeliunas
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeDanilo Ercoli
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extensionJohnny Kingdom
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?Netlight Consulting
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesAnna Ladoshkina
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...adamhorvath
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayM A Hossain Tonu
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environmentRobert Deutz
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word pressLucky Ali
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome ExtensionsÀlex Cabrera Gil
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Startstaobao.com
 
Web application framework
Web application frameworkWeb application framework
Web application frameworkPankaj Chand
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology StacksPrakarsh -
 

What's hot (20)

Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
Jakarta js meetup - Real time web apps with vue & firebase - may 17, 2017
 
Net training in bhubaneswar
Net training in bhubaneswar Net training in bhubaneswar
Net training in bhubaneswar
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
Orange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox ExtensionOrange is the new blue: How to port Chrome Extension to Firefox Extension
Orange is the new blue: How to port Chrome Extension to Firefox Extension
 
WordPress Development Tools and Best Practices
WordPress Development Tools and Best PracticesWordPress Development Tools and Best Practices
WordPress Development Tools and Best Practices
 
Introduction to WordPress Class 1
Introduction to WordPress Class 1Introduction to WordPress Class 1
Introduction to WordPress Class 1
 
SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)SharePoint Framework 101 (SPFx)
SharePoint Framework 101 (SPFx)
 
Improve WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of codeImprove WordPress performance with caching and deferred execution of code
Improve WordPress performance with caching and deferred execution of code
 
Google chrome extension
Google chrome extensionGoogle chrome extension
Google chrome extension
 
What is a good technology stack today?
What is a good technology stack today?What is a good technology stack today?
What is a good technology stack today?
 
Using Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websitesUsing Composer to create manageable WordPress websites
Using Composer to create manageable WordPress websites
 
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
Chrome Extension Development - Adam Horvath, Google Technology User Group, Sy...
 
Succeeding with FOSS!
Succeeding with FOSS!Succeeding with FOSS!
Succeeding with FOSS!
 
Introduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor DayIntroduction to Meteor - Worldwide Meteor Day
Introduction to Meteor - Worldwide Meteor Day
 
Setting up your development environment
Setting up your development environmentSetting up your development environment
Setting up your development environment
 
Introduction to word press
Introduction to word pressIntroduction to word press
Introduction to word press
 
Discovering Chrome Extensions
Discovering Chrome ExtensionsDiscovering Chrome Extensions
Discovering Chrome Extensions
 
Chrome Extension Develop Starts
Chrome Extension Develop StartsChrome Extension Develop Starts
Chrome Extension Develop Starts
 
Web application framework
Web application frameworkWeb application framework
Web application framework
 
Introduction to Web Technology Stacks
Introduction to Web Technology StacksIntroduction to Web Technology Stacks
Introduction to Web Technology Stacks
 

Similar to Secured Development

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version ControlRed Gate Software
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Security Innovation
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentShawn Jones
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Owasp tds
Owasp tdsOwasp tds
Owasp tdssnyff
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsRed Gate Software
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalAnna Royzman
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechIIITA
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 

Similar to Secured Development (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Team-based Development with Version Control
Team-based Development with Version ControlTeam-based Development with Version Control
Team-based Development with Version Control
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven Development
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
It's XP, Stupid
It's XP, StupidIt's XP, Stupid
It's XP, Stupid
 
Salesforce static code analysis
Salesforce static code analysisSalesforce static code analysis
Salesforce static code analysis
 
Owasp tds
Owasp tdsOwasp tds
Owasp tds
 
Grant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deploymentsGrant Fritchey Justin Caldicott - Best practices for database deployments
Grant Fritchey Justin Caldicott - Best practices for database deployments
 
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and TacticalTLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
TLC2018 Thomas Haver: The Automation Firehose - Be Strategic and Tactical
 
Twelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btechTwelve practices of XP_Se lect5 btech
Twelve practices of XP_Se lect5 btech
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Recently uploaded (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

Secured Development

  • 2. TODAY’S TALK •  3 Ps of Info. Security •  Secure Development - Published Standards •  Practical Best Practices – Implementation Guidelines •  S.I.T.A.T •  Debunking Common Myths
  • 3. THREE P OF SECURITY •  PEOPLE •  PROCESS •  PERSISTANCE / PRACTICE •  SECURITY IS NOT = PRODUCT
  • 4. WHY DEVELOPMENT SECURITY? •  MAJORITY of security vulnerabilities result from poor code •  Great impact vs. minimal investment •  Awareness at the basic, fundamental, core •  Reciprocal effect •  Best Use of Resources
  • 5. STANDARDS •  SSE-CMM •  Systems Security Engineering – Capability Maturity Model •  TSP-Secure •  Team Software Process for Secure Software Development •  Microsoft Trustworthy Computing Software Development Lifecyle •  SAMM •  Software Assurance Maturity Model •  SSF •  Software Security Framework
  • 6. PRACTICAL IDEAS •  Standardize •  Isolate •  Testing & Peer Reviews •  Audits •  Tooling
  • 7. STANDARDIZE •  Infrastructure •  What systems to use •  What versions/patches to deploy •  Methodology •  Waterfall •  Agile •  Swimlanes •  Kanban Boards •  SDLC •  Deployment Automation
  • 8. ISOLATE •  Development Stages •  Development •  Testing •  Staging •  Production •  Isolate: •  Hardware •  Connectivity •  Credentials •  Centralized Credential Store (LDAP/AD/SSO/Federation) •  Change Management Process
  • 9. TESTING •  Software should be tested by the following: •  Developers •  End Users •  Dedicated QA/QC Team •  Everyone in the company •  CEO-only •  Customer-only •  My Boss •  One Good Test = Hours of Development time saved •  One Bad Test = Hours of Development time wasted •  Development Time = Money
  • 10. GOOD TESTS VS. BAD TESTS •  Centralized Bug Database •  That everyone uses, not just developers •  Good Tests = Good Bug Reports •  Repeatable •  Example •  Expected This, Got This •  BugCam / ScreenCapture •  Bad Tests •  Bugs that can’t be reproduced •  Backlog of bugs •  Time wasted chasing non-software issues
  • 11. PEER / CODE REVIEWS •  Creating a proper environment •  Peer Reviews vs. Testing •  Implementation vs. Execution •  Code / Algorithm Level •  “Is there a better way to write this loop?” •  Pool expertise together •  Learning Environment
  • 12. TOOLING •  Good Quality Tools = Good Quality Product •  Standardize on tooling and frameworks •  Standard Documentation and bootstrapping •  Use a wiki/intranet •  Geared towards developers •  Centralize machine images
  • 13. ABOUT FRAMEWORKS •  Software frameworks good: •  Set of rules that lead to benefits •  “Batteries Included” •  Save Development Time •  Common security headaches dealt with •  Software frameworks bad: •  Black box – too much “magic” •  Another thing to patch/maintain •  Collateral damage •  Conclusion: •  Use the Right framework, not the Popular framework
  • 14. COMMON MYTHS •  Complex passwords are secure passwords •  Closed Source vs. Open Source •  3rd Party Testing = Assurance
  • 15. COMPLEX PASSWORDS •  Typical password requirements: •  1 CAPITAL letter •  1 lowercase letter •  1 numeric character •  1 “special” character •  8 characters in length •  Cannot repeat X passwords •  Opposite Effect •  People write down passwords •  Repeat patterns (Apr@2012, May@2012)
  • 16. Password policies have led to passwords that are difficult for people to remember, but easy for machines to crack.
  • 17. CLOSED SOURCE VS. OPEN SOURCE •  Common Myths: •  Since its open, means hackers know the code •  Anyone can find bugs and exploit them •  The Truth: •  More Eyes = More People to Fix the bug •  If a bug is found, it is announced and quickly fixed •  No more “zero day” exploits
  • 18. 3RD PARTY TESTING •  Myth •  They will test my code •  They will tell me what’s wrong •  If they say it passes, it is secure •  Truth •  Testing done against published vulnerabilities only •  Report tells you what is wrong with your stack not with your code. •  Apache vulnerability •  Windows patch missing •  Your code is evolving