Dpc14 security as part of Quality Assurance

•

0 gostou•459 visualizações

Boy Baukema

Implementing OWASP ASVS in a development organisation by

Tecnologia Notícias e política

In custom software, if you haven’t properly
tested it, it probably doesn’t work.
This goes for both functional and nonfunctional
requirements.
Worse yet if you don’t even know what ‘it’ is
supposed to be.
My claim

Who is this then?
Boy Baukema
Security Specialist @ Ibuildings.nl

Security what?
Senior Engineer
+ interest in WebAppSec
+ 4 hours a week R&D
+ internal training & consultancy
+ internal & external auditing

Okay, and you do this where?
Ibuildings.nl
web & mobile, 20+ devs, mostly PHP

You
developer, manager, executive
pentester, security consultant, ?

The plan
1. The journey
2. The holy grail
3. Riding off into the sunset

A assignment
Make security something I can sell,
give managers a knob to turn

OWASP ASVS
Open Web Application Security Project
Application Security Verification Standard

Level 1 Level 2 Level 3
Chapter 1
Requirement 1.1
Requirement 1.2
Requirement 1.3
X X
X
X
X
X
X
Chapter 2
Requirement 2.1
...
X

ASVS Levels (2013)
Level 0 - Bullshit compliance level (0)
Level 1 - Opportunistic (47)
Level 2 - Standard (136)
Level 3 - Advanced (164)

V1. Authentication
V2. Session Management
V3. Access Control
V4. Input Validation
V5. Cryptography (at Rest)
V6. Error Handling and Logging
V7. Data Protection
V8. Communication Security
V9. HTTP Security
V10. Malicious Controls
V11. Business Logic
V12. Files and Resources
V13. Mobile
ASVS Chapters

An example
V1.4. Verify that credentials and all other
identity information handled by the application
does not traverse unencrypted or weakly
encrypted links.
(level 1, 2 & 3)

First attempt
V2.7 Verify that the strength of any
authentication credentials are sufficient to
withstand attacks that are typical of the threats
in the deployed environment.
(OWASP ASVS 2009 Level 2)

Enter ASVS 2013 (Beta)
Release any day now!

+ is for effort
… scope of the verification may go beyond the
application’s custom-built code and include
external components. Achieving a verification
level under such scrutiny can be represented
by annotating a “+” symbol to the verification
level.

The End
Questions?
boy.baukema@owasp.org
boy@ibuildings.nl
https://twitter.com/relaxnow

Mais conteúdo relacionado

Mais procurados

Innovating Faster with Continuous Application Security Jeff Williams

Security champions v1.0Dinis Cruz

Santosh1Santosh Mohapatra

Application Security at DevOps Speed and Portfolio ScaleJeff Williams

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode

The Web AppSec How-To: The Defender's ToolboxCheckmarx

Enterprise Security APIsAdam Migus

Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network

Securing a Cloud MigrationCarlos Andrés García

Spring Security in ActionManning Publications

Mobile application security GuidelinesEntersoft Security

Positive Technologies Application Inspectorqqlan

Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux

Mobile security recipes for xamarinNicolas Milcoff

Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony

Making DevSecOps a Reality in your Spring ApplicationsHdiv Security

OWASP API Security TOP 10 - 2019Miguel Angel Falcón Muñoz

Security ResumeSanklan Saxena

"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen

Implementing an Application Security Pipeline in JenkinsSuman Sourav

Mais procurados (20)

Innovating Faster with Continuous Application Security

Security champions v1.0

Santosh1

Application Security at DevOps Speed and Portfolio Scale

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...

The Web AppSec How-To: The Defender's Toolbox

Enterprise Security APIs

Developing Secure Applications and Defending Against Common Attacks

Securing a Cloud Migration

Spring Security in Action

Mobile application security Guidelines

Positive Technologies Application Inspector

Anatomy of an Attack - Sophos Day Belux 2014

Mobile security recipes for xamarin

Secure Code review - Veracode SaaS Platform - Saudi Green Method

Making DevSecOps a Reality in your Spring Applications

OWASP API Security TOP 10 - 2019

Security Resume

"CERT Secure Coding Standards" by Dr. Mark Sherman

Implementing an Application Security Pipeline in Jenkins

Destaque

SURFconext and MobileBoy Baukema

Secure Drupal, from start to finishBoy Baukema

Portfolio De VeiculosElderMonteiro

OWASP ASVS 3 - What's new for level 1?Boy Baukema

Recursive descent parsingBoy Baukema

WebAppSec @ Ibuildings in 2014Boy Baukema

Verifying Drupal modules with OWASP ASVS 2014Boy Baukema

Security as a part of quality assuranceBoy Baukema

Let's build a parser!Boy Baukema

Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema

Destaque (10)

SURFconext and Mobile

Secure Drupal, from start to finish

Portfolio De Veiculos

OWASP ASVS 3 - What's new for level 1?

Recursive descent parsing

WebAppSec @ Ibuildings in 2014

Verifying Drupal modules with OWASP ASVS 2014

Security as a part of quality assurance

Let's build a parser!

Javascript: 8 Reasons Every PHP Developer Should Love It

Semelhante a Dpc14 security as part of Quality Assurance

Security as a New Metric for Your Business, Product and Development Lifecycle...IT Arena

Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.

Software Security CertificationVskills

Owasp masvs spain 17Luis A. Solís

Building an AppSec Team Extended CutMike Spaulding

Mike Spaulding - Building an Application Security Programcentralohioissa

10 Steps To Secure Agile DevelopmentCheckmarx

Agnitio: its static analysis, but not as we know itSecurity BSides London

What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen

DevSecOpsSpv Reddy

Security Validation as Code.pdfPrancer Io

AppSec How-To: Achieving Security in DevOpsCheckmarx

Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.

Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz

Demand for Penetration Testing Services.docxAardwolf Security

Secure SDLC in mobile software development.Mykhailo Antonishyn

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group

Security Process in DevSecOpsOpsta

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24

BitSensor Webwinkel Vakdagenwebwinkelvakdag

Semelhante a Dpc14 security as part of Quality Assurance (20)

Security as a New Metric for Your Business, Product and Development Lifecycle...

Security as a new metric for Business, Product and Development Lifecycle

Software Security Certification

Owasp masvs spain 17

Building an AppSec Team Extended Cut

Mike Spaulding - Building an Application Security Program

10 Steps To Secure Agile Development

Agnitio: its static analysis, but not as we know it

What Every Developer And Tester Should Know About Software Security

DevSecOps

Security Validation as Code.pdf

AppSec How-To: Achieving Security in DevOps

Agile and Secure Development

Security is our duty and we shall deliver it - White Paper

Demand for Penetration Testing Services.docx

Secure SDLC in mobile software development.

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...

Security Process in DevSecOps

Outpost24 webinar - Demystifying Web Application Security with Attack Surface...

BitSensor Webwinkel Vakdagen

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Finology Group – Insurtech Innovation Award 2024The Digital Insurer

08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco

TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

GenCyber Cyber Security Day PresentationMichael W. Hawkins

presentation ICT roal in 21st century educationjfdjdjcjdnsjd

Boost PC performance: How more available memory can improve productivityPrincipled Technologies

[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

Evaluating the top large language models.pdfChristopherTHyatt

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko

Dpc14 security as part of Quality Assurance

1. Security, a part of QA

2. In custom software, if you haven’t properly tested it, it probably doesn’t work. This goes for both functional and nonfunctional requirements. Worse yet if you don’t even know what ‘it’ is supposed to be. My claim

3. Who is this then? Boy Baukema Security Specialist @ Ibuildings.nl

4. Security what? Senior Engineer + interest in WebAppSec + 4 hours a week R&D + internal training & consultancy + internal & external auditing

5. Okay, and you do this where? Ibuildings.nl web & mobile, 20+ devs, mostly PHP

6. You developer, manager, executive pentester, security consultant, ?

7. The plan 1. The journey 2. The holy grail 3. Riding off into the sunset

8. What is security anyway?

10. A assignment Make security something I can sell, give managers a knob to turn

11. OWASP ASVS Open Web Application Security Project Application Security Verification Standard

12. Level 1 Level 2 Level 3 Chapter 1 Requirement 1.1 Requirement 1.2 Requirement 1.3 X X X X X X X Chapter 2 Requirement 2.1 ... X

13. ASVS Levels (2013) Level 0 - Bullshit compliance level (0) Level 1 - Opportunistic (47) Level 2 - Standard (136) Level 3 - Advanced (164)

14. V1. Authentication V2. Session Management V3. Access Control V4. Input Validation V5. Cryptography (at Rest) V6. Error Handling and Logging V7. Data Protection V8. Communication Security V9. HTTP Security V10. Malicious Controls V11. Business Logic V12. Files and Resources V13. Mobile ASVS Chapters

15. An example V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3)

16. So how does this tie into QA?

17. First attempt V2.7 Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment. (OWASP ASVS 2009 Level 2)

18. AASVS, Scanners & A Report Generator

19. Enter ASVS 2013 (Beta) Release any day now!

20. + is for effort … scope of the verification may go beyond the application’s custom-built code and include external components. Achieving a verification level under such scrutiny can be represented by annotating a “+” symbol to the verification level.

21. OWASP AASVS 2013

22. A plan for the future

23. OWASP SAMM

24. The End Questions? boy.baukema@owasp.org boy@ibuildings.nl https://twitter.com/relaxnow