Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

NDC Security 2023

3. Feb 2023
0 gefällt mir 6 Aufrufe
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Is this okay!? DevSecCon ⚡ 2022
Is this okay!? DevSecCon ⚡ 2022
Wird geladen in …3
×

Hier ansehen

Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
Would You Lie to Your Physician? Establishing Privacy Compliance within your ...
Ensighten
Data Protection – How Not to Panic and Make it a Positive
TargetX
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
Santhosh Tuppad
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
GDPRforum London
Angry Creative (UK)
Fostering an Ecosystem for Smartphone Privacy
Jason Hong
1 von 24 Anzeige

NDC Security 2023

3. Feb 2023
0 gefällt mir 6 Aufrufe

Herunterladen, um offline zu lesen

Software

Is this okay!? How to review code for security issues.

You've got some code from a team member to review. You already know that security is important, but do you know how to review their code for security issues?

In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code. We’ll look at an example pull request together and spot some big security issues that could easily have gone unnoticed.

Is this okay!? How to review code for security issues.

You've got some code from a team member to review. You already know that security is important, but do you know how to review their code for security issues?

In this session, Rouan will equip you to find common security issues before they're shipped to production. He’ll cover eight questions you should ask yourself whenever you’re reviewing code. We’ll look at an example pull request together and spot some big security issues that could easily have gone unnoticed.

Software
Anzeige

Empfohlen

Is this okay!? DevSecCon ⚡ 2022
rouanw
6 Aufrufe
19 Folien
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
232 Aufrufe
87 Folien
The Legal Case for Cybersecurity
Shawn Tuma
327 Aufrufe
24 Folien
Janitor vs cleaner
John Stauffacher
765 Aufrufe
44 Folien
Spo2 t17
SelectedPresentations
150 Aufrufe
31 Folien
Cybersecurity and the regulator, what you need to know
Cordium
1.2k Aufrufe
31 Folien
Insider Threat Law: Balancing Privacy and Protection
ObserveIT
547 Aufrufe
19 Folien
Thriving in the world of Big Data
Livingstone Advisory
613 Aufrufe
15 Folien
Anzeige

Weitere Verwandte Inhalte

Ähnlich wie NDC Security 2023 (20)

Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
386 Aufrufe
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
2.9k Aufrufe
Would You Lie to Your Physician? Establishing Privacy Compliance within your ...
Ensighten
455 Aufrufe
Data Protection – How Not to Panic and Make it a Positive
TargetX
813 Aufrufe
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
Santhosh Tuppad
328 Aufrufe
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
183 Aufrufe
GDPRforum London
Angry Creative (UK)
598 Aufrufe
Fostering an Ecosystem for Smartphone Privacy
Jason Hong
101 Aufrufe
Predictive analytics ouedi final version 11 3-13 2
Dean Whittaker
306 Aufrufe
STEALTHbits Sensitive Data Discovery Solutions
STEALTHbits Technologies
661 Aufrufe
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
2.2k Aufrufe
Dull, Difficult, and Essential: Managing Public Records
Paul W. Taylor
694 Aufrufe
SucessfulInsiderThreat
HammerNJ
441 Aufrufe
How to Catch a Wolf in Sheep's Clothing
ThinAir
164 Aufrufe
The Unfortunate Triumph of Process over Purpose
TechWell
606 Aufrufe
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
dianadvo
235 Aufrufe
Imperative of advanced analytics and ai in leadership excellence
Ebuka David Obi
75 Aufrufe
The journey towards pinot
Ananth PackkilDurai
99 Aufrufe
Penetration testing as an internal audit activity
Transcendent Group
2.1k Aufrufe
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...
Shawn Tuma
850 Aufrufe
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
386 Aufrufe
26 Folien
MacIT 2014 - Essential Security & Risk Fundamentals
Alison Gianotto
2.9k Aufrufe
36 Folien
Would You Lie to Your Physician? Establishing Privacy Compliance within your ...
Ensighten
455 Aufrufe
19 Folien
Data Protection – How Not to Panic and Make it a Positive
TargetX
813 Aufrufe
32 Folien
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...
Santhosh Tuppad
328 Aufrufe
14 Folien
Practical analytics hands-on to cloud & IoT cyber threats
Jorge Sebastiao
183 Aufrufe
30 Folien

Weitere von rouanw (20)

Fail better with QA in Production
rouanw
738 Aufrufe
Qa in production singular 2019
rouanw
108 Aufrufe
How to review a pull request
rouanw
445 Aufrufe
Rouan's design principles
rouanw
78 Aufrufe
The curious case of the production incident
rouanw
351 Aufrufe
QA in Production: The tests we never wrote and the production monitoring we u...
rouanw
509 Aufrufe
Organised chaos: real-world JavaScript microservices
rouanw
683 Aufrufe
Contributing to open source is easier than you think
rouanw
428 Aufrufe
How to write a blog post
rouanw
399 Aufrufe
QA in Production
rouanw
719 Aufrufe
Dashboards: Using data to find out what's really going on
rouanw
4.8k Aufrufe
Tech lead tips
rouanw
778 Aufrufe
DevOps Culture
rouanw
1.7k Aufrufe
Techniques for stress free software releases
rouanw
768 Aufrufe
Be a polyglot programmer
rouanw
550 Aufrufe
Emergent design - PHP Jo'burg 2015
rouanw
839 Aufrufe
Infrastructure as code
rouanw
579 Aufrufe
ThoughtWorks Tech radar Jan 2014
rouanw
1.2k Aufrufe
Continuous Integration
rouanw
385 Aufrufe
May 2013 ThoughtWorks Tech radar
rouanw
549 Aufrufe
Fail better with QA in Production
rouanw
738 Aufrufe
37 Folien
Qa in production singular 2019
rouanw
108 Aufrufe
37 Folien
How to review a pull request
rouanw
445 Aufrufe
31 Folien
Rouan's design principles
rouanw
78 Aufrufe
19 Folien
The curious case of the production incident
rouanw
351 Aufrufe
35 Folien
QA in Production: The tests we never wrote and the production monitoring we u...
rouanw
509 Aufrufe
31 Folien
Anzeige

Aktuellste (20)

Accelerate Microservices Deployments with Automation
NGINX, Inc.
17 Aufrufe
User Interface and Data Sources.pdf
PencilData
4 Aufrufe
MoT Athens meets Thessaloniki Software Testing & QA meetup
Thessaloniki Software Testing and QA meetup
7 Aufrufe
SUPERB DATA WAREHOUSE.ppt
ahmed368666
2 Aufrufe
SUN主机产品介绍.ppt
PencilData
3 Aufrufe
real-application-clusters-installation-guide-linux-and-unix.pdf
MitJiu
3 Aufrufe
Multi-perspective Process Analysis: Mining the Association between Control Fl...
Dina Bayomie
4 Aufrufe
SUN+Oracle存储产品介绍
PencilData
1 Aufruf
QRadar Architecture.pdf
PencilData
8 Aufrufe
ASUS H61M-A Repair Guide.pdf
CarlosFarias528679
4 Aufrufe
APPLE CATCHING-WPS Office.pptx
AnaYloisaBBoriga
1 Aufruf
JavaLand_To InstantOn and Beyond.pptx
Grace Jansen
11 Aufrufe
Sun-Product-line-Update-V2.pdf
PencilData
2 Aufrufe
Pembuatan Aplikasi Media Pembelajaran Interaktif Audio Visual Kaidah Pencacahan
PSCIndonesia2
4 Aufrufe
Automation Testing - G1 conference Ch13.pptx
GurzuInc
3 Aufrufe
Bitcoin Transparency Using Blockchain.pptx
MuhammadHamza579668
0 Aufrufe
Why Choose MightyCall.pdf
MightyCall
4 Aufrufe
Flutter vs. React Native Which i.pdf
Webtrills
0 Aufrufe
PrinciplesOfAnimation.pptx
NCCDanao
5 Aufrufe
Shortcomings of a software & what overcomes them!
ASK EHS Engineering & Consultants
13 Aufrufe
Accelerate Microservices Deployments with Automation
NGINX, Inc.
17 Aufrufe
36 Folien
User Interface and Data Sources.pdf
PencilData
4 Aufrufe
25 Folien
MoT Athens meets Thessaloniki Software Testing & QA meetup
Thessaloniki Software Testing and QA meetup
7 Aufrufe
19 Folien
SUPERB DATA WAREHOUSE.ppt
ahmed368666
2 Aufrufe
21 Folien
SUN主机产品介绍.ppt
PencilData
3 Aufrufe
29 Folien
real-application-clusters-installation-guide-linux-and-unix.pdf
MitJiu
3 Aufrufe
136 Folien

NDC Security 2023

  1. 1. Is this okay!? Rouan Wilsenach Engineering Lead, Haven @rouanw Reviewing code for security issues
  2. 2. Too much pressure Code reviews are great for catching issues but they can’t be the only thing. - Build awareness 💬 - Threat modelling 🐉 - Pen testing 🔦 - SAST 🖥
  3. 3. Where’s the input going? - Is there new input? - Have we changed the way input is handled? - Where it’s stored? - How it’s used later? 1 .
  4. 4. Are the right AAA checks in place? - Authentication - have we checked the actor is who they say they are? - Authorisation - have we checked they’re allowed to do this? - Auditing - have we made a note of what happened? 2 .
  5. 5. Principle of least privilege
  6. 6. Have the assets changed? ● Do we have consent and legitimate interest? ● Are we storing any personal or special information? E.g. ○ PII ○ Special Category ○ Criminal Offence 3 .
  7. 7. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
  8. 8. Are you leaking data? - Is your API returning extra bits? - Are you logging stuff you shouldn’t? - Don’t keep anything you don’t need 4 .
  9. 9. Any new dependencies? Do some research on new dependencies. Are they: - Trusted - Popular - Well maintained - Do you really need it? 5 .
  10. 10. https://snyk.io/advisor/
  11. 11. Has the config changed? - Misconfiguration is a super common cause of security issues - If your config isn’t code, you can’t review it! 6 .
  12. 12. Is anything being cached? - Don’t show one user’s sensitive info to another! - Everyone should understand the default cache behaviour - Good cache keys 7 .
  13. 13. Have you checked the borders? Handy trick if you’re short on time is to focus on where data enters and leaves your system - e.g. where a web request comes in and where we talk to a database. 8 .
  14. 14. Bonus! #9 More than one mistake from a security issue https://blog.codinghorror.com/falling-into-the-pit-of-success/
  15. 15. A few tricks that helped me learn Find your security mentor Turn up at post mortems Smashing Security Podcast Offer help during pen tests Find a security course online
  16. 16. 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . Inputs AAA Asset type Data leaks Dependencies Boundaries Config Caching Reviewing code for security issues – Cheat Sheet @rouanw

×