SlideShare a Scribd company logo

A journey into Application Security

Christian Martorella
Christian Martorella

A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.

Technology
1 of 49
Download to read offline
A  Journey  into  Application   Security Christian  Martorella ISACA  Italy  2014 Venezia,  3rd October
Who  am  I • Principal  Program  Manager,  Product  Security Skype  – Microsoft • Edge-­‐Security:  Wfuzz,  theHarvester,  Metagoofil,  Webslayer • Presented  in  many  Security  conferences:  Hack.lu,  BlackhatArsenal,   Source,  OWASP  Summit,  OSIRA • CIS(A,M,SP),  OPS(T,A)  
My  background • Started  as  internal  security  auditor  (Offensive) • System  and  network  security  responsible  of  a  small  ISP  (Defensive) • Penetration  tester  -­‐>  Team  leader  (Offensive) • Practice  lead  for  Threat  and  Vulnerability  in  EMEA  (Offensive) • Product  Security  Analyst  in  Skype  (Defensive)
Introduction This presentation is about the evolution of software development and the relation with Applicationsecurity. How application security teams adapted over time and the challenges we are facing
Waterfall  development
Waterfall  development • Originated  from  the  manufacturing  and  construction  industries.   • Hardware  oriented  model  adapted  to  Software  development • Sequential  design  process • Introduced  by  Winston  Royce  in  the  ’70
Waterfall  development • Make  sure  each  phase  is  100%  complete  and  absolutely  correct   before  proceeding  to  the  next  phase • Emphasis  on  documentation • Project  span  across  long  period  of  time • Time  spent  early on  making  sure  requirements and  design are  correct saves  much  time  and  effort  later.
Application  Security Microsoft  Secure  Development  Lifecycle  (SDL) Set  of  software  development  process  improvements Born  in  2002  and  established  in  2004,  as  result  of  MS  Trustworthy  Computer   (TWC)  initiative. More  than  50%  less  vulnerabilities  in  shipped  code
SDL  Methodologies
SDL  evolution
Security  approach Influence  in  the  Design  phase: • All  functional  and  design  specifications,   regardless  of  document  size,  should   contain  a  section  describing  how  the  component  impacts  security • Threat  Modeling:  Understand  assets  to  protect,  threats  and  vulnerabilities   to   the  product  and  how  will  be  mitigated.  Critical  to  create  a  secure  software Most  important  phase  in  Waterfall
Security  approach Development  phase: Implement  security  tools:   • Static  analysis,  Banned  Apis,  FxCop,  /Analyze Implement  security  checklist Secure  coding  best  practices Verification  /  Release  phase: Fuzzing Verify  /  validate  Threat  Model Final  security  review  (FSR) Security  testing  by  another  team  or  third  party
Challenges • Lack  of  security  requirementsin  design  phase  will  make  it  difficult  to  add   them  in  later  stages • Non  iterative  nature  makes  difficult  to  fix  issues  identified  in  advanced   stages  of  development • Issues  detected  in  the  Final  review,  will  be  expensive  to  fix
Agile  development
Agile  development • Cross  functional  teams,  self  organizing • Short  time  boxed  development  iterations • Delivery  of  small  functional  stories • Listen  to  customer  needs  and  adapt • Usually  low  in  documentation
Agile  Manifesto Individuals  and  interactionsover  processes  and  tools Working  software  over  comprehensive  documentation Customer  collaboration  over  contract  negotiation Responding  to  change  over  following  a  plan That  is,  while  there  is  value  in  the  items  on the  right,  we  value  the  items  on  the  left  more.
Challenges • SDL  too  complex  to  fit  in  each  release/Sprint • Design,  requirements  evolve  over  time • New  interactions  with  third  parties  are  not  known  in  advance • Teams  usually  don’t  have  an  Application  Security  specialist • Teams  move  faster  than  Waterfall • New  code  is  being  pushed  to  production  every  week  or  even  days. • Low  on  documentation
SDL  for  Agile
SDL  for  Agile The  categorization  of  SDL  requirements  into: • every-­‐sprint • one-­‐time • Three  bucket  groups  (Verification,  design,  Response) is  the  SDL-­‐Agile  solution  for  dealing  with  SDL  in  Agile  environments
Recommendations • Training  the  teams  and  providing  them  with  tools  is  the  most   important  aspect  in  order  to  implement  SDL  in  Agile  teams • Security  specialist  assigned  to  a  few  teams,  to  provide  consultancy • Useful  to  participate  in  Sprint  planning  to  understand  what  is  going   on • Sprint  Security  Checklist  (FSR),  after  Sprint  planning • Get  familiar  with  Agile  tools,  backlog.
SDL  for  Agile • Continuous  Integration  (Automation):   Secure  Code  analysis Security  unit  test Vulnerability  scanning Secure  configuration
Happiness
Cloud  fotos
Cloud • “We  want  to  start  using  Cloud  services”
Challenges • Security  of  the  data • Security  of  the  servers • Who  is  responsible  for  the  servers • Where  is  the  data  located • Encryption  at  rest • Disks  reutilization
Security  Approach • New  Security  policy  for  Cloud  services • Security  Onboarding  for  teams • Inventory  of  cloud  services
DEVOPS
Why  Devops? • Continuous  software  delivery   • Faster  delivery  of  features • Faster  resolution  of  problems • Less  complex  problems  to  fix More  Deploys  Means  Faster  Time  to  Market  and  Continual  Improvement
Challenges • Rapid  releases  cycles  (every  day,  multiple  times  a  day) • Autonomous  teams   • Teams  are  doing  development  and  operations  now • Infrastructure  also  changes  fast
Development  cycles Waterfall Agile Devops
Surviving  Devops • Providing  security  training  to  teams • Provide  security  policies,  guidelines • Security  and  abuse  stories,  driven  by  business • Situational  awareness:   • What  do  we  have? • Changes,  alerts. • Attack  surface,  priorities
Surviving  Devops • Automation: • Integrate  testing  into  continuous  integration  and  release  process  (Chef  &   Puppet) • Integrate  and  extend  production  configuration  monitoring • Develop  your  own  security  testing  tools,  more  focused  and  adapted  to  your   particular  needs
Surviving  Devops Situational  awareness  &  Automation  example: -­‐Source  code  Product  attack  surface  analyzer,  alerts,  prioritization  of   efforts.   -­‐Internet  footprint,  scanning  and  inventory.  Updated  every  hour.
Surviving  Devops • Integrate  InfoSec  and  IR  into  the  Ops/Devs escalation  process • Harden  the  production  environment • Provide  guidelines/baselines   on  what  is  a  hardened  environment • Automate  hardening  (Chef/Puppet) • Tolerate  failure  in  production  environments  (Chaos  Monkey)
Surviving  Devops • Metrics:   • Identify  if  teams  are  repeating  certain  type  of  vulnerabilities,   train  them  to   prevent  repeating  again.   • Prioritize  training • Modify  policies  and  baselines • Tune  tools • Interact  more  closely  with  teams,  attend  to  standups • Be  more  flexible  and  adapt  to  team  processes   • mesh  with  the  unique  development  cultures  of  individual  teams
The  Future? Rugged  software “Rugged”  describes  software  development  organizations  which  have  a   culture  of  rapidly  evolving  their  ability  to  create  available,  survivable,   defensible,  secure,  and  resilient  software Rugged  is  NOT  a  technology,  process  model,  SDLC,  or  organizational   structure.  It’s  not  even  a  noun.
Rugged  software Rugged  describes  staying  ahead  of  the  threat  over  time “We  are  convinced  that  negative  and  reactive  approaches  to   application  security  cannot  scale  and  are  doomed  to  fail.  These   approaches  primarily  rely  on  finding  vulnerabilities  and  fixing  them.”
Rugged  Manifesto I  am  rugged  and,  more  importantly,  my  code  is  rugged. I  recognize  that  software  has  become  a  foundation  of  our  modern  world. I  recognize  the  awesome  responsibility   that  comes  with  this  foundational  role. I  recognize  that  my  code  will  be  used  in  ways  I  cannot  anticipate,  in  ways  it  was  not  designed,   and  for  longer  than  it  was  ever  intended. I  recognize  that  my  code  will  be  attacked  by  talented  and  persistent  adversaries  who  threaten   our  physical,  economic  and  national  security. I  recognize  these  things  – and  I  choose  to  be  rugged. I  am  rugged  because  I  refuse  to  be  a  source  of  vulnerability  or  weakness. I  am  rugged  because  I  assure  my  code  will  support  its  mission. I  am  rugged  because  my  code  can  face  these  challenges   and  persist  in  spite  of  them. I  am  rugged,  not  because  it  is  easy,  but  because  it  is  necessary  and  I  am  up  for  the  challenge.
Conclusion • Development  methodologies  and  processes  changed  considerably   over  time • More  things  happening  in  shorter  period  of  time • Security  tools  and  techniques  needs  to  adapt  to  this  situation • Automation  is  key  in  Devops environment • Security  professionals  need  to  be  flexible  and  engage  more  than  ever   with  development  teams
?
Thank  you cmartorella@edge-­‐security.com
Resources • Microsoft  SDL  -­‐ http://www.microsoft.com/security/sdl/default.aspx • Rugged  Software  -­‐ https://www.ruggedsoftware.org/ • http://labs.securitycompass.com/appsec-­‐2/the-­‐cultural-­‐challenges-­‐of-­‐ application-­‐security/ • http://devops.com/features/the-­‐unexpected-­‐benefits-­‐of-­‐devops/ • http://newrelic.com/devops/benefits-­‐of-­‐devops

Recommended

Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 

Recommended

Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
How To Start Your InfoSec Career
How To Start Your InfoSec CareerHow To Start Your InfoSec Career
How To Start Your InfoSec CareerAndrew McNicol
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber SecuritySatria Ady Pradana
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information GatheringChristian Martorella
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 

More Related Content

What's hot

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of LogsJack Crook
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 

What's hot (20)

(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 

Viewers also liked

Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Oauth2 et OpenID Connect
Oauth2 et OpenID ConnectOauth2 et OpenID Connect
Oauth2 et OpenID ConnectPascal Flamand
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016Pascal Flamand
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability MattersMatt Lord
 
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentSomatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentYourCoach BVBA
 
July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1Ward Law Firm GA
 
February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1Ward Law Firm GA
 
October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1Ward Law Firm GA
 
June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1Ward Law Firm GA
 
November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1Ward Law Firm GA
 
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionSemana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionTelescopioDigital
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionCoin Sciences Ltd
 
O Diário de Juliana
O Diário de JulianaO Diário de Juliana
O Diário de JulianaCybele Meyer
 
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Olympus IMS
 

Viewers also liked (20)

Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
Oauth2 et OpenID Connect
Oauth2 et OpenID ConnectOauth2 et OpenID Connect
Oauth2 et OpenID Connect
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016SemanticExperts-Reador octobre2016
SemanticExperts-Reador octobre2016
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
 
Why MySQL High Availability Matters
Why MySQL High Availability MattersWhy MySQL High Availability Matters
Why MySQL High Availability Matters
 
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé GentSomatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
Somatic Experiencing - Savera Noriega (TouchStudio) op CoachCafé Gent
 
July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1July 2016 Newsletter - Issue 7 Volume 1
July 2016 Newsletter - Issue 7 Volume 1
 
February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1February 2016 Newsletter - Issue 2 Volume 1
February 2016 Newsletter - Issue 2 Volume 1
 
October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1October 2016 Newsletter — Issue 10 Volume 1
October 2016 Newsletter — Issue 10 Volume 1
 
June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1June 2016 Newsletter — Issue 6 Volume 1
June 2016 Newsletter — Issue 6 Volume 1
 
November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1November 2016 Newsletter — Issue 11 Volume 1
November 2016 Newsletter — Issue 11 Volume 1
 
Antorcha(1)
Antorcha(1)Antorcha(1)
Antorcha(1)
 
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de ResurreccionSemana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
Semana Santa Torrejon 2015: Procesion del Encuentro en Domingo de Resurreccion
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Metadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN ExplosionMetadata in the Blockchain: The OP_RETURN Explosion
Metadata in the Blockchain: The OP_RETURN Explosion
 
O Diário de Juliana
O Diário de JulianaO Diário de Juliana
O Diário de Juliana
 
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
Advantages of Ultrasonic Thickness Gages over Flaw Detectors for Corrosion Th...
 

Similar to A journey into Application Security

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenNadira Bajrei
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 

Similar to A journey into Application Security (20)

4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 

More from Christian Martorella

Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environmentChristian Martorella
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007Christian Martorella
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Christian Martorella
 

More from Christian Martorella (6)

Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Playing in a Satellite environment
Playing in a Satellite environmentPlaying in a Satellite environment
Playing in a Satellite environment
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

A journey into Application Security

  • 1. A  Journey  into  Application   Security Christian  Martorella ISACA  Italy  2014 Venezia,  3rd October
  • 2. Who  am  I • Principal  Program  Manager,  Product  Security Skype  – Microsoft • Edge-­‐Security:  Wfuzz,  theHarvester,  Metagoofil,  Webslayer • Presented  in  many  Security  conferences:  Hack.lu,  BlackhatArsenal,   Source,  OWASP  Summit,  OSIRA • CIS(A,M,SP),  OPS(T,A)  
  • 3. My  background • Started  as  internal  security  auditor  (Offensive) • System  and  network  security  responsible  of  a  small  ISP  (Defensive) • Penetration  tester  -­‐>  Team  leader  (Offensive) • Practice  lead  for  Threat  and  Vulnerability  in  EMEA  (Offensive) • Product  Security  Analyst  in  Skype  (Defensive)
  • 4. Introduction This presentation is about the evolution of software development and the relation with Applicationsecurity. How application security teams adapted over time and the challenges we are facing
  • 5.
  • 7. Waterfall  development • Originated  from  the  manufacturing  and  construction  industries.   • Hardware  oriented  model  adapted  to  Software  development • Sequential  design  process • Introduced  by  Winston  Royce  in  the  ’70
  • 8. Waterfall  development • Make  sure  each  phase  is  100%  complete  and  absolutely  correct   before  proceeding  to  the  next  phase • Emphasis  on  documentation • Project  span  across  long  period  of  time • Time  spent  early on  making  sure  requirements and  design are  correct saves  much  time  and  effort  later.
  • 9. Application  Security Microsoft  Secure  Development  Lifecycle  (SDL) Set  of  software  development  process  improvements Born  in  2002  and  established  in  2004,  as  result  of  MS  Trustworthy  Computer   (TWC)  initiative. More  than  50%  less  vulnerabilities  in  shipped  code
  • 12. Security  approach Influence  in  the  Design  phase: • All  functional  and  design  specifications,   regardless  of  document  size,  should   contain  a  section  describing  how  the  component  impacts  security • Threat  Modeling:  Understand  assets  to  protect,  threats  and  vulnerabilities   to   the  product  and  how  will  be  mitigated.  Critical  to  create  a  secure  software Most  important  phase  in  Waterfall
  • 13. Security  approach Development  phase: Implement  security  tools:   • Static  analysis,  Banned  Apis,  FxCop,  /Analyze Implement  security  checklist Secure  coding  best  practices Verification  /  Release  phase: Fuzzing Verify  /  validate  Threat  Model Final  security  review  (FSR) Security  testing  by  another  team  or  third  party
  • 14. Challenges • Lack  of  security  requirementsin  design  phase  will  make  it  difficult  to  add   them  in  later  stages • Non  iterative  nature  makes  difficult  to  fix  issues  identified  in  advanced   stages  of  development • Issues  detected  in  the  Final  review,  will  be  expensive  to  fix
  • 16. Agile  development • Cross  functional  teams,  self  organizing • Short  time  boxed  development  iterations • Delivery  of  small  functional  stories • Listen  to  customer  needs  and  adapt • Usually  low  in  documentation
  • 17. Agile  Manifesto Individuals  and  interactionsover  processes  and  tools Working  software  over  comprehensive  documentation Customer  collaboration  over  contract  negotiation Responding  to  change  over  following  a  plan That  is,  while  there  is  value  in  the  items  on the  right,  we  value  the  items  on  the  left  more.
  • 18.
  • 19.
  • 20. Challenges • SDL  too  complex  to  fit  in  each  release/Sprint • Design,  requirements  evolve  over  time • New  interactions  with  third  parties  are  not  known  in  advance • Teams  usually  don’t  have  an  Application  Security  specialist • Teams  move  faster  than  Waterfall • New  code  is  being  pushed  to  production  every  week  or  even  days. • Low  on  documentation
  • 22. SDL  for  Agile The  categorization  of  SDL  requirements  into: • every-­‐sprint • one-­‐time • Three  bucket  groups  (Verification,  design,  Response) is  the  SDL-­‐Agile  solution  for  dealing  with  SDL  in  Agile  environments
  • 23. Recommendations • Training  the  teams  and  providing  them  with  tools  is  the  most   important  aspect  in  order  to  implement  SDL  in  Agile  teams • Security  specialist  assigned  to  a  few  teams,  to  provide  consultancy • Useful  to  participate  in  Sprint  planning  to  understand  what  is  going   on • Sprint  Security  Checklist  (FSR),  after  Sprint  planning • Get  familiar  with  Agile  tools,  backlog.
  • 24. SDL  for  Agile • Continuous  Integration  (Automation):   Secure  Code  analysis Security  unit  test Vulnerability  scanning Secure  configuration
  • 27. Cloud • “We  want  to  start  using  Cloud  services”
  • 28. Challenges • Security  of  the  data • Security  of  the  servers • Who  is  responsible  for  the  servers • Where  is  the  data  located • Encryption  at  rest • Disks  reutilization
  • 29. Security  Approach • New  Security  policy  for  Cloud  services • Security  Onboarding  for  teams • Inventory  of  cloud  services
  • 30.
  • 32. Why  Devops? • Continuous  software  delivery   • Faster  delivery  of  features • Faster  resolution  of  problems • Less  complex  problems  to  fix More  Deploys  Means  Faster  Time  to  Market  and  Continual  Improvement
  • 33.
  • 34. Challenges • Rapid  releases  cycles  (every  day,  multiple  times  a  day) • Autonomous  teams   • Teams  are  doing  development  and  operations  now • Infrastructure  also  changes  fast
  • 36.
  • 37.
  • 38. Surviving  Devops • Providing  security  training  to  teams • Provide  security  policies,  guidelines • Security  and  abuse  stories,  driven  by  business • Situational  awareness:   • What  do  we  have? • Changes,  alerts. • Attack  surface,  priorities
  • 39. Surviving  Devops • Automation: • Integrate  testing  into  continuous  integration  and  release  process  (Chef  &   Puppet) • Integrate  and  extend  production  configuration  monitoring • Develop  your  own  security  testing  tools,  more  focused  and  adapted  to  your   particular  needs
  • 40. Surviving  Devops Situational  awareness  &  Automation  example: -­‐Source  code  Product  attack  surface  analyzer,  alerts,  prioritization  of   efforts.   -­‐Internet  footprint,  scanning  and  inventory.  Updated  every  hour.
  • 41. Surviving  Devops • Integrate  InfoSec  and  IR  into  the  Ops/Devs escalation  process • Harden  the  production  environment • Provide  guidelines/baselines   on  what  is  a  hardened  environment • Automate  hardening  (Chef/Puppet) • Tolerate  failure  in  production  environments  (Chaos  Monkey)
  • 42. Surviving  Devops • Metrics:   • Identify  if  teams  are  repeating  certain  type  of  vulnerabilities,   train  them  to   prevent  repeating  again.   • Prioritize  training • Modify  policies  and  baselines • Tune  tools • Interact  more  closely  with  teams,  attend  to  standups • Be  more  flexible  and  adapt  to  team  processes   • mesh  with  the  unique  development  cultures  of  individual  teams
  • 43. The  Future? Rugged  software “Rugged”  describes  software  development  organizations  which  have  a   culture  of  rapidly  evolving  their  ability  to  create  available,  survivable,   defensible,  secure,  and  resilient  software Rugged  is  NOT  a  technology,  process  model,  SDLC,  or  organizational   structure.  It’s  not  even  a  noun.
  • 44. Rugged  software Rugged  describes  staying  ahead  of  the  threat  over  time “We  are  convinced  that  negative  and  reactive  approaches  to   application  security  cannot  scale  and  are  doomed  to  fail.  These   approaches  primarily  rely  on  finding  vulnerabilities  and  fixing  them.”
  • 45. Rugged  Manifesto I  am  rugged  and,  more  importantly,  my  code  is  rugged. I  recognize  that  software  has  become  a  foundation  of  our  modern  world. I  recognize  the  awesome  responsibility   that  comes  with  this  foundational  role. I  recognize  that  my  code  will  be  used  in  ways  I  cannot  anticipate,  in  ways  it  was  not  designed,   and  for  longer  than  it  was  ever  intended. I  recognize  that  my  code  will  be  attacked  by  talented  and  persistent  adversaries  who  threaten   our  physical,  economic  and  national  security. I  recognize  these  things  – and  I  choose  to  be  rugged. I  am  rugged  because  I  refuse  to  be  a  source  of  vulnerability  or  weakness. I  am  rugged  because  I  assure  my  code  will  support  its  mission. I  am  rugged  because  my  code  can  face  these  challenges   and  persist  in  spite  of  them. I  am  rugged,  not  because  it  is  easy,  but  because  it  is  necessary  and  I  am  up  for  the  challenge.
  • 46. Conclusion • Development  methodologies  and  processes  changed  considerably   over  time • More  things  happening  in  shorter  period  of  time • Security  tools  and  techniques  needs  to  adapt  to  this  situation • Automation  is  key  in  Devops environment • Security  professionals  need  to  be  flexible  and  engage  more  than  ever   with  development  teams
  • 47. ?
  • 49. Resources • Microsoft  SDL  -­‐ http://www.microsoft.com/security/sdl/default.aspx • Rugged  Software  -­‐ https://www.ruggedsoftware.org/ • http://labs.securitycompass.com/appsec-­‐2/the-­‐cultural-­‐challenges-­‐of-­‐ application-­‐security/ • http://devops.com/features/the-­‐unexpected-­‐benefits-­‐of-­‐devops/ • http://newrelic.com/devops/benefits-­‐of-­‐devops