SlideShare ist ein Scribd-Unternehmen logo

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica
Imola Informatica

Slides from our talk @Devoxx MA 2018. We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.

Technologie
1 von 49
Downloaden Sie, um offline zu lesen
SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
A little patch… #SSDLC@imolinfo
Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
Security misconceptions …or products or tools either #SSDLC@imolinfo
Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
Security as a Process #SSDLC@imolinfo Security should be a process
Software Development LifeCycle SDLC #SSDLC@imolinfo «Security» goes here
A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
Security Testing Tools #SSDLC@imolinfo Security should be testable
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
SonarQube #SSDLC@imolinfo A comprehensive platform for Quality Assurance and Static Analysis Source Testing
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
#SSDLC@imolinfo Let’s play!
Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
Security KPI Security should be measurable #SSDLC@imolinfo
CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo
Luca Molari lmolari@imolainformatica.it @LMolr Stefano Monti smonti@imolainformatica.it @Ste_Monti Alessandro Proscia aproscia@imolainformatica.it @alex184it #SSDLC@imolinfo

Empfohlen

Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 

Empfohlen

Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopLife Cycle Engineering
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 

Was ist angesagt? (20)

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Application Security
Application SecurityApplication Security
Application Security
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 

Ähnlich wie Secure Software Development Lifecycle - Devoxx MA 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsBallerina
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

Ähnlich wie Secure Software Development Lifecycle - Devoxx MA 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 

Kürzlich hochgeladen

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Kürzlich hochgeladen (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

Secure Software Development Lifecycle - Devoxx MA 2018

  • 1. SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
  • 2. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
  • 3. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
  • 5. Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
  • 6. Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
  • 7. GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
  • 8. Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
  • 9. Security misconceptions …or products or tools either #SSDLC@imolinfo
  • 10. Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
  • 11. Security as a Process #SSDLC@imolinfo Security should be a process
  • 13. A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
  • 14. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 15. SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
  • 16. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 17. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 19. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 20. SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
  • 21. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
  • 22. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
  • 23. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 24. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 25. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
  • 28. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 29. Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
  • 30. Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
  • 31. Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
  • 32. Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
  • 33. Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
  • 35. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 36. DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
  • 37. Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
  • 39. Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
  • 40. Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
  • 41. Security KPI Security should be measurable #SSDLC@imolinfo
  • 42. CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
  • 43. CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
  • 44. CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
  • 45. WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
  • 46. Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
  • 47. Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
  • 48. Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo