SlideShare uma empresa Scribd logo
1 de 45
Baixar para ler offline
Secure SDLC. 
Approach and realization 
by Nazar Tymoshyk, Ph.D., CEH
Even best applications 
get challenges
Big applications get bigger challenges
Security is important factor for your app
Consequences 
Reputation loss Penalties Data loss
IP Theft 
Breaching 
organizational 
perimeters 
Modify Victims 
website to deploy 
MALWARE to website 
visitors 
Threats 
Taking over high-value 
accounts
Hackers 
motives 
Previously, attackers used application vulnerabilities 
to cause embarrassment and disruption. But now 
these attackers are exploiting vulnerabilities to steal 
data and much more
Web application firewall 
Microsoft IIS Apache Nginx
CYA 
(cover your apps) 
Time-to-Fix vs. 
Time-to-Hack 
Automated 
Temporary Patches
Why 
• Effective design of protected code requires a change in 
the mindset of the participants involved. 
• Existing training resources impose on their study of the 
causes and consequences of resistance consequences 
instead of eliminating the causes. 
• Following the conventional approach, the designer 
must be qualified penetration tester to start writing 
secure code. 
• It DOES NOT WORK!
WHY 
• Effective design of protected code requires a change in the mindset 
of the participants involved. 
• Existing training resources impose on their study of the causes and 
consequences of resistance consequences instead of eliminating the 
causes. 
• Following the 
conventional approach, 
the designer must be 
qualified penetration 
tester to start writing 
secure code. 
It DOES NOT 
WORK!
Developer 
• Focus on functional requirements 
• Know about: 
– OWASP Top 10 
– 1 threat (DEADLINE fail) 
• Concentrated on risks 
«I know when I’m writing code I’m not 
thinking about evil, I’m just trying to think about 
functionality» (с) Scott Hanselman
Security Officer 
• Focused on 
requirement to 
security 
• Known difference 
between vulnerability 
and attack  
• Focused on 
vulnerabilities
Risks are for managers, not developers
Typical Security Report delivered by security firm
Typical Security Report delivered by other auditor
How security is linked to development 
3rd party or internal audit 
Tone of 
security 
defects 
BACK to re-Coding, re-Building, re-Testing, re-Auditing 
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
How much time you need to fix 
security issues in app?
How it should look 
With proper Security Program number of 
security defects should decrease from phase 
to phase 
Automated 
security 
Tests 
CI 
integrated 
Manual 
security 
Tests 
OWASP methodology 
Secure 
Coding 
trainings 
Regular 
Vulnerability 
Scans
Primary Benefits 
Minimize the costs of the Security related issues 
Avoid repetitive security issues 
Avoid inconsistent level of the security 
Determine activities that pay back faster during current 
state of the project
Secure 
Development 
Lifecycle
Mapping SDL to Agile 
•Every-Sprint practices: Essential security 
practices that should be performed in 
every release. 
•Bucket practices: Important security 
practices that must be completed on a 
regular basis but can be spread across 
multiple sprints during the project 
lifetime. 
•One-Time practices: Foundational 
security practices that must be 
established once at the start of every new 
Agile project.
Microsoft SDL
Training 
PRE SDL TRAINING: 
• Introduction to Microsoft SDL 
• Essential Software Security Training for the 
Microsoft SDL 
• Basics of Secure Design, Development and 
Test 
• Introduction to Microsoft SDL Threat 
Modeling 
• SDL Quick Security References 
• SDL Developer Starter Kit
Requirements Phase 
• SDL Practice #2: Establish Security and 
Privacy Requirements (one time practice) 
• SDL Practice #3: Create Quality Gates/Bug 
Bars 
• SDL Practice #4: Perform Security and 
Privacy Risk Assessments (one time 
practice)
Design 
• Establish Design Requirements (one time 
practice) 
• Attack Surface Analysis/Reduction (one time 
practice) 
• Use Threat Modeling 
• Mitigation of threats 
• Secure Design 
• Formulating security guidelines 
• Security Design Review
Implementation 
• SDL Practice #8: Use Approved Tools 
• SDL Practice #9: Deprecate Unsafe 
Functions 
• SDL Practice #10: Perform Static Analysis
Verification Phase 
Bucket practices: 
• SDL Practice #11: Perform Dynamic 
Analysis 
• SDL Practice #12: Fuzz Testing 
• SDL Practice #13: Attack Surface Review
Release Phase 
• SDL Practice #14: Create an Incident 
Response Plan (one time practice) 
• SDL Practice #15: Conduct Final Security 
Review 
• SDL Practice #16: Certify Release and 
Archive
Response Phase 
• SDL Practice #17: Execute Incident 
Response Plan 
– Analysis vulnerability information 
– Risk calculation 
– Patch release 
– Clients notification 
– Information publishing
Value 
20-40% time for testing/re-testing decrease 
Catch problems as soon as possible 
Avoid repetitive security issues 
Improve Security Expertise/Practices for current Team 
Automation, Integration, Continuously 
Proactive Security Reporting 
Full coverage
CI SECURITY
Typical CI Workflow
Continuous Integration Delivery 
Deployment
High level vision 
Static Code Analysis Dynamic Security testing 
CI tools 
Deploying application 
Security Reports 
Pull source code
CI Security process 
Build 
• Build code 
with special 
debug 
options 
Deploy 
• Pack build 
and code 
• Deploy app 
to VM for 
test 
Test 
Security 
• Run code 
test 
• Run Test 
dynamic 
web 
application 
from VM 
with security 
tools 
Analyze 
• Collect and 
format 
results 
• Verify results 
• Filter false 
positive / 
negative 
• Tune 
scanning 
engine 
• Fix defects
CI Workflow 
Dynamic tests with Security scanner 
OWASP Top 10 Risk coverage 
A1-Injection 
A2-Broken Authentication and Session 
Management 
A3-Cross-Site Scripting (XSS) 
A4-Insecure Direct Object References 
A5-Security Misconfiguration 
A6-Sensitive Data Exposure 
A7-Missing Function Level Access Control 
A8-Cross-Site Request Forgery (CSRF) 
A9-Using Components with Known 
Vulnerabilities 
A10-Unvalidated Redirects and Forwards
Tools for Secure SDLC 
• IBM AppScan Sources 
• Burp Suite 
• Sonar 
• OWASP ZAP 
• HP Fortify 
• Netsparcer 
• Coverify 
• Veracode
Supported Languages 
• Java 
• .NET (C#, ASP.NET, 
and VB.NET) 
• JSP 
• Client-side JavaScript 
• Cold Fusion 
• C/C++ 
• Classic ASP (both 
JavaScript/VBScript) 
• PHP, Perl 
• Visual Basic 6 
• COBOL 
• T-SQL, PL/SQL
Analysis of App Security Statistic
Sonar – for code quality coverage
Code Security Analysis 
We are able to detect line of bugged code
Filtering false positive
It really 
works! 
Applications Secured - 
Business Protected
THANK YOU 
45 
Email: root.nt@gmail.com 
Skype: root_nt

Mais conteúdo relacionado

Mais procurados

Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 

Mais procurados (20)

Android Security
Android SecurityAndroid Security
Android Security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Security testing
Security testingSecurity testing
Security testing
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Application Security
Application SecurityApplication Security
Application Security
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
Software security testing
Software security testingSoftware security testing
Software security testing
 

Destaque

Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievNazar Tymoshyk, CEH, Ph.D.
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Nazar Tymoshyk, CEH, Ph.D.
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
August 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & TazzyAugust 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & TazzyBritney Stanley-Wyatt
 
See andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesowSee andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesowandyfullsail
 
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose ExcellenceLisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose ExcellenceLisa Choy
 
User Experience at Fundacion Paraguaya
User Experience at Fundacion ParaguayaUser Experience at Fundacion Paraguaya
User Experience at Fundacion ParaguayaJackie Wolf
 
Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2Roring Ever
 
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώωνanlio
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31azzaranf
 
Training in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noidaTraining in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noidaArjit Nigam
 

Destaque (20)

Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Security Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - BeliaievSecurity Hole #11 - Competitive intelligence - Beliaiev
Security Hole #11 - Competitive intelligence - Beliaiev
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
Rica Belna _ Art for Interior Design (Graphic + Photo PDF) - meeting your int...
 
August 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & TazzyAugust 2 Treasure Emporium with Britty & Tazzy
August 2 Treasure Emporium with Britty & Tazzy
 
See andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesowSee andrew week2_ignite_presentation_slidesow
See andrew week2_ignite_presentation_slidesow
 
Distribution
DistributionDistribution
Distribution
 
Lisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose ExcellenceLisa Lowder Ignite Slideshow, Choose Excellence
Lisa Lowder Ignite Slideshow, Choose Excellence
 
User Experience at Fundacion Paraguaya
User Experience at Fundacion ParaguayaUser Experience at Fundacion Paraguaya
User Experience at Fundacion Paraguaya
 
Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2Dasar kompetensi keahlian multimedia 2
Dasar kompetensi keahlian multimedia 2
 
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
4 οκτωβρίου Παγκόσμια Ημέρα Προστασίας των Ζώων
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
Ppt kolaborasi qbl 1 - azzara nurfitri - IPE 31
 
Botacora de tecnologia1
Botacora de tecnologia1Botacora de tecnologia1
Botacora de tecnologia1
 
Training in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noidaTraining in vidya electrotech pvt. ltd. noida
Training in vidya electrotech pvt. ltd. noida
 
Q4
Q4Q4
Q4
 

Semelhante a Agile and Secure SDLC

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptDrBasemMohamedElomda
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 

Semelhante a Agile and Secure SDLC (20)

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 

Último

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 

Último (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 

Agile and Secure SDLC

  • 1. Secure SDLC. Approach and realization by Nazar Tymoshyk, Ph.D., CEH
  • 2. Even best applications get challenges
  • 3. Big applications get bigger challenges
  • 4. Security is important factor for your app
  • 5. Consequences Reputation loss Penalties Data loss
  • 6. IP Theft Breaching organizational perimeters Modify Victims website to deploy MALWARE to website visitors Threats Taking over high-value accounts
  • 7. Hackers motives Previously, attackers used application vulnerabilities to cause embarrassment and disruption. But now these attackers are exploiting vulnerabilities to steal data and much more
  • 8. Web application firewall Microsoft IIS Apache Nginx
  • 9. CYA (cover your apps) Time-to-Fix vs. Time-to-Hack Automated Temporary Patches
  • 10. Why • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. • It DOES NOT WORK!
  • 11. WHY • Effective design of protected code requires a change in the mindset of the participants involved. • Existing training resources impose on their study of the causes and consequences of resistance consequences instead of eliminating the causes. • Following the conventional approach, the designer must be qualified penetration tester to start writing secure code. It DOES NOT WORK!
  • 12. Developer • Focus on functional requirements • Know about: – OWASP Top 10 – 1 threat (DEADLINE fail) • Concentrated on risks «I know when I’m writing code I’m not thinking about evil, I’m just trying to think about functionality» (с) Scott Hanselman
  • 13. Security Officer • Focused on requirement to security • Known difference between vulnerability and attack  • Focused on vulnerabilities
  • 14. Risks are for managers, not developers
  • 15. Typical Security Report delivered by security firm
  • 16. Typical Security Report delivered by other auditor
  • 17. How security is linked to development 3rd party or internal audit Tone of security defects BACK to re-Coding, re-Building, re-Testing, re-Auditing Than start process of re-Coding, re-Building, re-Testing, re-Auditing
  • 18. How much time you need to fix security issues in app?
  • 19. How it should look With proper Security Program number of security defects should decrease from phase to phase Automated security Tests CI integrated Manual security Tests OWASP methodology Secure Coding trainings Regular Vulnerability Scans
  • 20. Primary Benefits Minimize the costs of the Security related issues Avoid repetitive security issues Avoid inconsistent level of the security Determine activities that pay back faster during current state of the project
  • 22. Mapping SDL to Agile •Every-Sprint practices: Essential security practices that should be performed in every release. •Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. •One-Time practices: Foundational security practices that must be established once at the start of every new Agile project.
  • 24. Training PRE SDL TRAINING: • Introduction to Microsoft SDL • Essential Software Security Training for the Microsoft SDL • Basics of Secure Design, Development and Test • Introduction to Microsoft SDL Threat Modeling • SDL Quick Security References • SDL Developer Starter Kit
  • 25. Requirements Phase • SDL Practice #2: Establish Security and Privacy Requirements (one time practice) • SDL Practice #3: Create Quality Gates/Bug Bars • SDL Practice #4: Perform Security and Privacy Risk Assessments (one time practice)
  • 26. Design • Establish Design Requirements (one time practice) • Attack Surface Analysis/Reduction (one time practice) • Use Threat Modeling • Mitigation of threats • Secure Design • Formulating security guidelines • Security Design Review
  • 27. Implementation • SDL Practice #8: Use Approved Tools • SDL Practice #9: Deprecate Unsafe Functions • SDL Practice #10: Perform Static Analysis
  • 28. Verification Phase Bucket practices: • SDL Practice #11: Perform Dynamic Analysis • SDL Practice #12: Fuzz Testing • SDL Practice #13: Attack Surface Review
  • 29. Release Phase • SDL Practice #14: Create an Incident Response Plan (one time practice) • SDL Practice #15: Conduct Final Security Review • SDL Practice #16: Certify Release and Archive
  • 30. Response Phase • SDL Practice #17: Execute Incident Response Plan – Analysis vulnerability information – Risk calculation – Patch release – Clients notification – Information publishing
  • 31. Value 20-40% time for testing/re-testing decrease Catch problems as soon as possible Avoid repetitive security issues Improve Security Expertise/Practices for current Team Automation, Integration, Continuously Proactive Security Reporting Full coverage
  • 35. High level vision Static Code Analysis Dynamic Security testing CI tools Deploying application Security Reports Pull source code
  • 36. CI Security process Build • Build code with special debug options Deploy • Pack build and code • Deploy app to VM for test Test Security • Run code test • Run Test dynamic web application from VM with security tools Analyze • Collect and format results • Verify results • Filter false positive / negative • Tune scanning engine • Fix defects
  • 37. CI Workflow Dynamic tests with Security scanner OWASP Top 10 Risk coverage A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 38. Tools for Secure SDLC • IBM AppScan Sources • Burp Suite • Sonar • OWASP ZAP • HP Fortify • Netsparcer • Coverify • Veracode
  • 39. Supported Languages • Java • .NET (C#, ASP.NET, and VB.NET) • JSP • Client-side JavaScript • Cold Fusion • C/C++ • Classic ASP (both JavaScript/VBScript) • PHP, Perl • Visual Basic 6 • COBOL • T-SQL, PL/SQL
  • 40. Analysis of App Security Statistic
  • 41. Sonar – for code quality coverage
  • 42. Code Security Analysis We are able to detect line of bugged code
  • 44. It really works! Applications Secured - Business Protected
  • 45. THANK YOU 45 Email: root.nt@gmail.com Skype: root_nt