SlideShare a Scribd company logo

C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation

Won Ju Jub
Won Ju Jub

C S S L P & OWASP 2010 & Web Goat

1 of 58
Download to read offline
Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
Speaker Profile , CSSLP, ECSA , LPT 2
Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
Source: Issue number 9 Info Security Professional Magazine
W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
• Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
Hear what Anthony Lim, from IBM, has to say about CSSLP
CSSLP Certification My CSSLP Certification
Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
Source: Web Hacking Incidents Database
Source: Web Hacking Incidents Database
Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
Hacking Incidents (Defacement)
Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
SDLC & OWASP Guidelines Source: OWASP 34
Source: OWASP
Source: OWASP
Source: OWASP
Source: Microsoft
CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
OWASP Foundation has over 130 Local Chapters
41
CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
CSSLP is WebGoat? What Certification
CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
tion WebGoat Lesson 1
tion WebGoat Lesson 2
tion WebGoat Lesson 3
tion Solution: WebGoat Lesson 3
tion Solution: WebGoat Lesson 3 True OR ? = True
tion WebGoat Lesson 4
tion Solution: WebGoat Lesson 4
tion WebGoat Lesson 5
tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com

Recommended

Seagate 100306.Star Nat (Clr)
Seagate 100306.Star Nat (Clr)Seagate 100306.Star Nat (Clr)
Seagate 100306.Star Nat (Clr)micchior
 
Mycv Sas
Mycv SasMycv Sas
Mycv SasAshfaque Malik Muhammad
 
Mycv Tb
Mycv TbMycv Tb
Mycv TbAshfaque Malik Muhammad
 
Mohan_resume
Mohan_resumeMohan_resume
Mohan_resumeMohan Reddy
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 

Recommended

Seagate 100306.Star Nat (Clr)
Seagate 100306.Star Nat (Clr)Seagate 100306.Star Nat (Clr)
Seagate 100306.Star Nat (Clr)micchior
 
Mycv Sas
Mycv SasMycv Sas
Mycv SasAshfaque Malik Muhammad
 
Mycv Tb
Mycv TbMycv Tb
Mycv TbAshfaque Malik Muhammad
 
Mohan_resume
Mohan_resumeMohan_resume
Mohan_resumeMohan Reddy
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Software Compliance Management Overview
Software Compliance Management OverviewSoftware Compliance Management Overview
Software Compliance Management Overviewkevino80
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threatsNetwork Intelligence India
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracleIDM
 
Scaling identity to internet proportions
Scaling identity to internet proportionsScaling identity to internet proportions
Scaling identity to internet proportionsOracleIDM
 
Ioug webcast entitlements in check
Ioug webcast entitlements in checkIoug webcast entitlements in check
Ioug webcast entitlements in checkOracleIDM
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Gartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalGartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalOracleIDM
 
Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersVenafi
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Syed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure ManagerSyed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure ManagerSiraj Syed
 
Resume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen GuptaResume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen GuptaNaveen Gupta
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Manpower group idm-platform
Manpower group idm-platformManpower group idm-platform
Manpower group idm-platformOracleIDM
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentationgueste35899
 
Midrange role in isets
Midrange role in isetsMidrange role in isets
Midrange role in isetsraziqfareed
 
Malik M. Ashfaque - CV
Malik M. Ashfaque - CVMalik M. Ashfaque - CV
Malik M. Ashfaque - CVAshfaque Malik Muhammad
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 

More Related Content

What's hot

Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracleIDM
 
Scaling identity to internet proportions
Scaling identity to internet proportionsScaling identity to internet proportions
Scaling identity to internet proportionsOracleIDM
 
Ioug webcast entitlements in check
Ioug webcast entitlements in checkIoug webcast entitlements in check
Ioug webcast entitlements in checkOracleIDM
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Gartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalGartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalOracleIDM
 
Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersVenafi
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Syed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure ManagerSyed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure ManagerSiraj Syed
 
Resume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen GuptaResume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen GuptaNaveen Gupta
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Manpower group idm-platform
Manpower group idm-platformManpower group idm-platform
Manpower group idm-platformOracleIDM
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 

What's hot (16)

Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcast
 
Scaling identity to internet proportions
Scaling identity to internet proportionsScaling identity to internet proportions
Scaling identity to internet proportions
 
Ioug webcast entitlements in check
Ioug webcast entitlements in checkIoug webcast entitlements in check
Ioug webcast entitlements in check
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
Gartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-finalGartner iam 2011-analytics-aj-orig-recordednp-final
Gartner iam 2011-analytics-aj-orig-recordednp-final
 
Five Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption DisastersFive Must Haves to Prevent Encryption Disasters
Five Must Haves to Prevent Encryption Disasters
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oes
 
Syed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure ManagerSyed Siraj - Telecom_Infrastructure Manager
Syed Siraj - Telecom_Infrastructure Manager
 
Resume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen GuptaResume for Wintel Admin- Naveen Gupta
Resume for Wintel Admin- Naveen Gupta
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4
 
Manpower group idm-platform
Manpower group idm-platformManpower group idm-platform
Manpower group idm-platform
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 

Similar to C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentationgueste35899
 
Midrange role in isets
Midrange role in isetsMidrange role in isets
Midrange role in isetsraziqfareed
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence PlatformJohn Fotiadis ✔️
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Dave Sharrock
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Similar to C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation (20)

Setting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyderSetting up a secure development life cycle with OWASP - seba deleersnyder
Setting up a secure development life cycle with OWASP - seba deleersnyder
 
Csslp Launch Presentation
Csslp Launch PresentationCsslp Launch Presentation
Csslp Launch Presentation
 
Midrange role in isets
Midrange role in isetsMidrange role in isets
Midrange role in isets
 
Malik M. Ashfaque - CV
Malik M. Ashfaque - CVMalik M. Ashfaque - CV
Malik M. Ashfaque - CV
 
IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product Overview
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Cast Application Intelligence Platform
Cast Application Intelligence PlatformCast Application Intelligence Platform
Cast Application Intelligence Platform
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron? Is an agile SDLC an oxymoron?
Is an agile SDLC an oxymoron?
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation

  • 1. Certified Secure Software Lifecycle Professional (CSSLP) Master Degree in Management Information Systems (MSMIS) Faculty of Commerce and Accountancy, Thammasat University 05-April-2010 Surachai Chatchalermpun
  • 2. Speaker Profile , CSSLP, ECSA , LPT 2
  • 3. Agenda Challenges Today… What is CSSLP? What is OWASP? What is WebGoat? WebGoat Lesson!
  • 4. Challenges Today… • Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005) • Software is often not developed with security in mind • Attack targeted, financially motivated attacks continue to rise • Attacks are moving up the application stack • New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments. Source: Global Information Security & IT Security Personnel Development in USA – trend and hurdles, Prof. Howard A. Schmidt
  • 5. Source: Issue number 9 Info Security Professional Magazine
  • 6. W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director
  • 7. What is the CSSLP? • Certified Secure Software Lifecycle Professional (CSSLP) • Base credential • Professional certification program • Takes a holistic approach to security in the software lifecycle • Tests candidates competency (KSAs) to significantly mitigate the security concerns
  • 8. Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®. • Established in 1989 – not-for-profit consortium of industry leaders. • More than 60,000 certified professionals in over 135 countries. • Board of Directors - top information security professionals worldwide. • All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology- related credentials to receive this accreditation.
  • 9. Over 70% of breaches of security vulnerabilities exist at the application level.* * Gartner Group, 2005
  • 10. Purpose • Provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices. • The target professionals for this Certification would be anyone who is directly and in some cases indirectly, involved in the Software Lifecycle.
  • 11. Software Lifecycle Stakeholder Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software Lifecycle Business Stakeholders Application Owners Analysts Developers/ Quality Coders Assurance Influencers Managers Primary Target Project Managers/ Technical Secondary Target Architects Team Leads
  • 12. Market Drivers • Security is everyone’s responsibility • Software vulnerabilities have emerged as a major concern • Off shoring of software development • Software is often not developed with security in mind • Desire to meet growing industry needs
  • 13. Certified Secure Software Lifecycle Professional (ISC)² CSSLP CBK 7 Domains: • Secure Software Concepts • Secure Software Requirements • Secure Software Design • Secure Software Implementation/Coding • Secure Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal
  • 14. CSSLP Certification Requirements By Experience Assessment: • Experience Assessment will be open until March 31, 2009 • Candidate will be required to submit: – Experience Assessment Application – Signed candidate agreement and adherence to (ISC)² Code of Ethics – Detailed resume of experience – Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas • Applying Security concepts to Software Development • Software Design • Software Implementation/Coding • Software Testing • Software Acceptance • Software Deployment, Operations, Maintenance, and Disposal – Fee of $650
  • 15. CSSLP Certification Requirements By Examination: • The first public exam will be held at the end of June 2009 • Candidate will be required to submit: – Completed examination registration form – Signed candidate agreement and adherence to the (ISC)² Code of ethics – Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field – Fee of $549 early-bird and $599 standard • Candidate will be required to – Pass the official (ISC)² CSSLP certification examination – Complete the endorsement process • The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements
  • 16. CSSLP CBK Overlap between other Certifications/Programs GSSP-C GSSP-J (SANS) (SANS) Software Coder Software Coder Certification Program Certification Program CSSE CSSLP (ISSECO) Entry-level Education (ISC)² Professional Certification Software Program Certificate of Program Assurance Completion Initiative (DHS) Awareness Effort CSDA CSDP Vendor- Specific Credentials (IEEE) (IEEE) Associate Level Professional Status Certification Program
  • 17. Future of CSSLP • International Marketing Efforts • ANSI/ISO/IEC17024 accreditation • Maintenance activities • Cert Education Program
  • 18. Hear what Anthony Lim, from IBM, has to say about CSSLP
  • 20. Why is Web Application Security Important? • Easiest way to compromise hosts, networks and users. • Widely deployed. • No Logs! (POST Request payload) • Incredibly hard to defend against or detect. • Most don’t think of locking down web applications. • Intrusion detection is a joke. • Firewall? What firewall? I don’t see no firewall… • SSL Encrypted transport layer does nothing. Source: White Hat Security
  • 21. Web Application Hacking Outer DMZ Zone Inner Server farm Zone Source: White Hat Security
  • 22. Your “Code” is Part of Your Security Perimeter APPLICATION Your security “perimeter” has huge ATTACK Application Layer holes at the “Application layer” Legacy Systems Web Services Human Resource Directories Databases Custom Developed Billing Application Code App Server Network Layer Web Server Hardened OS Inner Firewall Outer Firewall You can’t use network layer protection (Firewall, SSL, IDS, hardening) to stop or detect application layer attacks Source: White Hat Security
  • 23. The Web Application Security Risk • Web Applications are vulnerable: – exposing its own vulnerabilities. – Change frequently, requiring constant tuning of application security. – Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network) • Web Applications are threatened: – New business models drive “for profit” hacking. – Performed by Black hat professionals enabling complex attacks. • Potential impact may be severe: – Web applications are used for sensitive information and important transactions. Source: White Hat Security
  • 24. Threat is Difficult to Assess • Web Attacks are Stealth: – Victims hide breaches. – Incidents are not detected. • Statistics are Skewed: – Number of incident reported is statistically insignificant. Source: Breach Security
  • 25. Source: Web Hacking Incidents Database
  • 26. Source: Web Hacking Incidents Database
  • 27. Available Sources Attacks • Zone-H (The Hacker Community) – http://www.zone-h.org – The most comprehensive attack repository, very important for public awareness. – Reported by hackers and focus on defacements. • WASC Statistics Project – http://www.webappsec.org • OWASP top 10 – http://www.owasp.org
  • 31. Key Principle 3 Pillars of ICT 3 Pillars of Security Disclosure People Confidentiality PPT CIA Process Technology Integrity Availability (Tool) Alteration Disruption 31
  • 32. Root Causes of Application Insecurity : PPT Missing or • People and Organization Inadequate Examples Tools, Libraries, or – Lack of Application Security training Missing or Inadequate Infrastructure – Roles & Responsibilities not clear Processes – No budget allocated • Process Examples – Underestimated risks – Missed requirements Untrained – Inadequate testing and reviews People and Organizational – Lack of metrics Structure Issues – Lack of implementing Best Practices or Standards Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce – No detection of attacks Accounts Finance • Technology Examples Custom Code – Lack of appropriate tools – Lack of common infrastructure – Configuration errors Source: OWASP
  • 33. People / Processes / Technology Training Awareness Guidelines Automated Testing Secure Development Application Secure Code Firewalls Review Secure Security Testing Configuration 33
  • 34. SDLC & OWASP Guidelines Source: OWASP 34
  • 39. CSSLP Certification What is OWASP? The Open Web Application Security Project (OWASP) is: A not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. Source: http://www.owasp.org
  • 40. OWASP Foundation has over 130 Local Chapters
  • 41. 41
  • 42.
  • 43.
  • 44.
  • 45.
  • 46. CSSLP is WebGoat? What Certification WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • 47. CSSLP is WebGoat? What Certification
  • 48. CSSLP Certification WebGoat Installation Windows - (Download, Extract, Double Click Release) 1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“ 2. start your browser and browse to... (Notice the capital 'W' and 'G') http://localhost/WebGoat/attack 3. login in as: user = guest, password = guest 4. To stop WebGoat, simply close the window you launched it from.
  • 53. tion Solution: WebGoat Lesson 3 True OR ? = True
  • 57. tion Solution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value: AccessControlMatrix.help" | net user"
  • 58. Question & Answer Thank You Surachai Chatchalermpun surachai.c@pttict.com