SlideShare uma empresa Scribd logo

Secure develpment 2014

Ariel Evans
Ariel Evans

פיתוח מאובטח

Tecnologia
1 de 16
Secure Development Life Cycle (SDLC) Sigal Russin, CISO Senior Analyst at STKI sigalr@stki.info
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph What are you getting: 2 1 2 3 4 5 6
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph OSI Model 3
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph 4
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Buffer Overflow Buffer which crosses the volume of information allocated to it in a timely manner. It allows attackers to travel outside the buffer and overwrite important information to continue running the program. In many, utilizing this weakness allows running code injected by the attacker. 5
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • DOS- Denial Of Service Ping of death- Due to increased bandwidth browsing, this attack does not pose a risk. Local Denial of Service: "Stealing" all possible memory from the operating system, as well as prevention service by blocking the regular work with your computer. 6
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems Distributed Denial of Service: Many different points make one or more requests for a particular service any network and is usually carried out through many computers controlled by a single operator. • Code Injection Cross Site Scripting HTML/Javascript/ SQL injection The user can enter any code to run it through the software, and do whatever the spirit through the code they injected. 7
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Race Condition- Resource Condition Resource conflicts in software refers to the fact that the resource is used by more than one code divides the software (memory disposed). 8
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Myths  If no one knows about a problem, you can not take advantage of - security by obscurity.  Safe programming language - many high languages ​​provide the feeling that they are clean and devoid of problems but it can contain more security issues and bugs that exist in the world.  Passwords mashed in one way - files containing passwords scrambled. The attackers can not retrieve the password so they will read the information unidirectional scrambled and use the password itself.  Nothing can break the software  You can fix and solve problems "on the go" 9
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Assumptions  QA staff able to locate problems and fix them  The user would not hurt to information or Software Foundation  The program will only be used for its original target appropriate  Compiled code into machine language can not be interpreted  Coding of symbols machine language is a form of protection 10
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 11 Check out all the input you receive, including those from the command line, environment variables, and other data Do not mark only "bad“ input. Know also check what input "good." Prevent Buffer Overflow everywhere. Pay particular attention to long inputs and give them the opportunity to take over the functionality of your system.
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 12 Remember to build your program correctly - Prevent high privileges, reboot the system with parameters correct and safe, plan what you will do when there is a system failure prevented Race Conditions and Use Safe channels only. Use caution system calls to external libraries. Rebate information system carefully, only what is needed and nothing more. Do not expose data internal.
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Customers round table insights 13 (1‫פרויקטים‬‫גוף‬ ‫לידיעת‬ ‫מגיעים‬ ‫תמיד‬ ‫לא‬ ‫אשר‬ ‫מתוכננים‬ ‫לא‬ ‫המידע‬ ‫אבטחת‬. (2‫כדי‬ ‫תוך‬ ‫ואחרים‬ ‫כאלה‬ ‫נתונים‬ ‫לראות‬ ‫רשאים‬ ‫המפתחים‬ ‫האם‬ ‫הפיתוח‬ ‫תהליך‬?‫בערבול‬ ‫שימוש‬/‫נתונים‬ ‫מיסוך‬. (3‫הפיתוח‬ ‫אנשי‬ ‫לטענת‬,‫חוסמים‬ ‫המידע‬ ‫אבטחת‬ ‫אנשי‬‫לעתים‬ ‫שימוש‬‫בטכנולוגיות‬‫מסוימות‬‫חוסר‬ ‫בגלל‬ ‫או‬ ‫מוגזם‬ ‫חשש‬ ‫בגלל‬ ‫ידע‬‫מספק‬. (4‫צד‬ ‫מגורמי‬ ‫שמתקבל‬ ‫קוד‬‫שלישי‬.‫עושים‬ ‫מה‬?‫לא‬ ‫מקרה‬ ‫בשום‬ ‫מהאוויר‬ ‫ירדה‬‫מערכת‬‫שנמצאו‬ ‫אבטחה‬ ‫ליקויי‬ ‫בשל‬‫בה‬. (5‫סביבת‬ ‫לבין‬ ‫והפיתוח‬ ‫הבדיקות‬ ‫סביבת‬ ‫בין‬ ‫ההבדלים‬‫הייצור‬. ‫והבדיקות‬ ‫הפיתוח‬ ‫מאשר‬ ‫הייצור‬ ‫שרתי‬ ‫הקשחת‬.
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Vendors The Web Application Vulnerability Scanners Benchmark, 2012 http://sectooladdict.blogspot .co.il/2012/07/2012-web- application-scanner- benchmark.html 14
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Recommendations 1) Mixing of information security in all phases of the project - from the initial stages (sometimes stop project at this stage because of applicability or security risk) continued analysis phase, encoding to various stages of testing. 2) Automated testing tools during encoding. Ideally the code is tested all the time every day. 3) Dedicated Source survey depth testing phase the issue of information security. 4) Penetration code tests. 5) Procedures for developing information security "do and do not" on any technology. 6) Basic training of all developers and more advanced training for developers who are "Security trustees." 15
Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Thank You! Sigalr@stki.info

Recomendados

Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
JasonRomero21
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Recomendados

Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitch
JasonRomero21
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
All Things Open
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
VodqaBLR
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
ICT Frame Magazine Pvt. Ltd.
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
Christopher Frenz
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
Got Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringGot Myth? Myths in Software Engineering
Got Myth? Myths in Software Engineering
Thomas Zimmermann
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
Nicolas Milcoff
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
n|u - The Open Security Community
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
SDLC
SDLCSDLC
SDLC
university of education,Lahore
 

Mais conteúdo relacionado

Mais procurados

"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
TEST Huddle
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 

Mais procurados (20)

Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Aliens in Your Apps!
Aliens in Your Apps!Aliens in Your Apps!
Aliens in Your Apps!
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibility
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
Web application security measures
Web application security measuresWeb application security measures
Web application security measures
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
 
Got Myth? Myths in Software Engineering
Got Myth? Myths in Software EngineeringGot Myth? Myths in Software Engineering
Got Myth? Myths in Software Engineering
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarin
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Review
 

Destaque

System development life cycle-Naveen vijay
System development life cycle-Naveen vijaySystem development life cycle-Naveen vijay
System development life cycle-Naveen vijay
Naveen Vijay
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Pebs14 hubbub bike summit
Pebs14 hubbub bike summitPebs14 hubbub bike summit
Pebs14 hubbub bike summit
Birgit Hess
 
Power point presentation
Power point presentationPower point presentation
Power point presentation
saki-t
 
Project oxygen
Project oxygenProject oxygen
Project oxygen
linkoravi
 

Destaque (20)

Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
SDLC
SDLCSDLC
SDLC
 
System development life cycle-Naveen vijay
System development life cycle-Naveen vijaySystem development life cycle-Naveen vijay
System development life cycle-Naveen vijay
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Technology Advancement Core: Our Process
Technology Advancement Core: Our ProcessTechnology Advancement Core: Our Process
Technology Advancement Core: Our Process
 
thinking in key value stores
thinking in key value storesthinking in key value stores
thinking in key value stores
 
Hubbub deck short
Hubbub deck shortHubbub deck short
Hubbub deck short
 
Scientist and inventor
Scientist and inventorScientist and inventor
Scientist and inventor
 
Pebs14 hubbub bike summit
Pebs14 hubbub bike summitPebs14 hubbub bike summit
Pebs14 hubbub bike summit
 
Bbr security
Bbr securityBbr security
Bbr security
 
Short-Run Digital Book Printing
Short-Run Digital Book PrintingShort-Run Digital Book Printing
Short-Run Digital Book Printing
 
Thermal bimorph valve operated microthruster.
Thermal bimorph valve operated microthruster.Thermal bimorph valve operated microthruster.
Thermal bimorph valve operated microthruster.
 
Data Networks: Next-Generation Optical Access toward 10 Gb/s Everywhere
Data Networks: Next-Generation Optical Access toward 10 Gb/s EverywhereData Networks: Next-Generation Optical Access toward 10 Gb/s Everywhere
Data Networks: Next-Generation Optical Access toward 10 Gb/s Everywhere
 
Powerpoint
PowerpointPowerpoint
Powerpoint
 
Power point presentation
Power point presentationPower point presentation
Power point presentation
 
SHMcloud vision
SHMcloud visionSHMcloud vision
SHMcloud vision
 
A brief introduction to Spintronics
A brief introduction to SpintronicsA brief introduction to Spintronics
A brief introduction to Spintronics
 
Project Oxyzen
Project OxyzenProject Oxyzen
Project Oxyzen
 
National river linking project
National river linking projectNational river linking project
National river linking project
 
Project oxygen
Project oxygenProject oxygen
Project oxygen
 

Semelhante a Secure develpment 2014

Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
Virtual Forge
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
TechWell
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
David Kwak
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

Semelhante a Secure develpment 2014 (20)

For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Contact Center infrastructure 2014
Contact Center infrastructure 2014Contact Center infrastructure 2014
Contact Center infrastructure 2014
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
 
<marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee><marquee>html title testfsdjk34254</marquee>
<marquee>html title testfsdjk34254</marquee>
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Security Misconfiguration.pptx
Security Misconfiguration.pptxSecurity Misconfiguration.pptx
Security Misconfiguration.pptx
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 

Mais de Ariel Evans

contact center trends 2014
contact center trends 2014contact center trends 2014
contact center trends 2014
Ariel Evans
 
Positioning+trends sigal summit 2014
Positioning+trends sigal summit 2014Positioning+trends sigal summit 2014
Positioning+trends sigal summit 2014
Ariel Evans
 
Stki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 finalStki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 final
Ariel Evans
 
Mdm byod survey results 2013
Mdm byod survey results 2013Mdm byod survey results 2013
Mdm byod survey results 2013
Ariel Evans
 

Mais de Ariel Evans (20)

infra 2015 delivery
infra 2015 deliveryinfra 2015 delivery
infra 2015 delivery
 
Risk mngt gov compliance security cyber
Risk mngt gov compliance security cyberRisk mngt gov compliance security cyber
Risk mngt gov compliance security cyber
 
2015 positioning security & networking
2015 positioning security & networking2015 positioning security & networking
2015 positioning security & networking
 
Secure development 2014
Secure development 2014Secure development 2014
Secure development 2014
 
CONTACT CENTER TRENDS 2014
CONTACT CENTER TRENDS 2014CONTACT CENTER TRENDS 2014
CONTACT CENTER TRENDS 2014
 
contact center trends 2014
contact center trends 2014contact center trends 2014
contact center trends 2014
 
Printing om 2014
Printing om 2014Printing om 2014
Printing om 2014
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
 
Positioning+trends sigal summit 2014
Positioning+trends sigal summit 2014Positioning+trends sigal summit 2014
Positioning+trends sigal summit 2014
 
Sigal summit 2014 final
Sigal summit 2014 finalSigal summit 2014 final
Sigal summit 2014 final
 
Pini sigal Summit 2014 final
Pini sigal Summit 2014 finalPini sigal Summit 2014 final
Pini sigal Summit 2014 final
 
Output management 2013
Output management 2013 Output management 2013
Output management 2013
 
Stki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 finalStki summit2013 infra_pini sigaltechnologies_v5 final
Stki summit2013 infra_pini sigaltechnologies_v5 final
 
Cyber security 2013
Cyber security 2013 Cyber security 2013
Cyber security 2013
 
Stki summit2013 ratios
Stki summit2013 ratiosStki summit2013 ratios
Stki summit2013 ratios
 
Cloud cc security
Cloud cc securityCloud cc security
Cloud cc security
 
Stki summit2013 infra_pini sigal_mega_v10 final
Stki summit2013 infra_pini sigal_mega_v10 finalStki summit2013 infra_pini sigal_mega_v10 final
Stki summit2013 infra_pini sigal_mega_v10 final
 
Mdm byod survey results 2013
Mdm byod survey results 2013Mdm byod survey results 2013
Mdm byod survey results 2013
 
IDM & IAM 2012
IDM & IAM 2012IDM & IAM 2012
IDM & IAM 2012
 
Trends In Infrastructure Services
Trends In Infrastructure ServicesTrends In Infrastructure Services
Trends In Infrastructure Services
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Secure develpment 2014

  • 1. Secure Development Life Cycle (SDLC) Sigal Russin, CISO Senior Analyst at STKI sigalr@stki.info
  • 2. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph What are you getting: 2 1 2 3 4 5 6
  • 3. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph OSI Model 3
  • 4. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph 4
  • 5. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Buffer Overflow Buffer which crosses the volume of information allocated to it in a timely manner. It allows attackers to travel outside the buffer and overwrite important information to continue running the program. In many, utilizing this weakness allows running code injected by the attacker. 5
  • 6. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • DOS- Denial Of Service Ping of death- Due to increased bandwidth browsing, this attack does not pose a risk. Local Denial of Service: "Stealing" all possible memory from the operating system, as well as prevention service by blocking the regular work with your computer. 6
  • 7. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems Distributed Denial of Service: Many different points make one or more requests for a particular service any network and is usually carried out through many computers controlled by a single operator. • Code Injection Cross Site Scripting HTML/Javascript/ SQL injection The user can enter any code to run it through the software, and do whatever the spirit through the code they injected. 7
  • 8. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Development Problems • Race Condition- Resource Condition Resource conflicts in software refers to the fact that the resource is used by more than one code divides the software (memory disposed). 8
  • 9. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Myths  If no one knows about a problem, you can not take advantage of - security by obscurity.  Safe programming language - many high languages ​​provide the feeling that they are clean and devoid of problems but it can contain more security issues and bugs that exist in the world.  Passwords mashed in one way - files containing passwords scrambled. The attackers can not retrieve the password so they will read the information unidirectional scrambled and use the password itself.  Nothing can break the software  You can fix and solve problems "on the go" 9
  • 10. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Assumptions  QA staff able to locate problems and fix them  The user would not hurt to information or Software Foundation  The program will only be used for its original target appropriate  Compiled code into machine language can not be interpreted  Coding of symbols machine language is a form of protection 10
  • 11. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 11 Check out all the input you receive, including those from the command line, environment variables, and other data Do not mark only "bad“ input. Know also check what input "good." Prevent Buffer Overflow everywhere. Pay particular attention to long inputs and give them the opportunity to take over the functionality of your system.
  • 12. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Programming Principles correct software security 12 Remember to build your program correctly - Prevent high privileges, reboot the system with parameters correct and safe, plan what you will do when there is a system failure prevented Race Conditions and Use Safe channels only. Use caution system calls to external libraries. Rebate information system carefully, only what is needed and nothing more. Do not expose data internal.
  • 13. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Customers round table insights 13 (1‫פרויקטים‬‫גוף‬ ‫לידיעת‬ ‫מגיעים‬ ‫תמיד‬ ‫לא‬ ‫אשר‬ ‫מתוכננים‬ ‫לא‬ ‫המידע‬ ‫אבטחת‬. (2‫כדי‬ ‫תוך‬ ‫ואחרים‬ ‫כאלה‬ ‫נתונים‬ ‫לראות‬ ‫רשאים‬ ‫המפתחים‬ ‫האם‬ ‫הפיתוח‬ ‫תהליך‬?‫בערבול‬ ‫שימוש‬/‫נתונים‬ ‫מיסוך‬. (3‫הפיתוח‬ ‫אנשי‬ ‫לטענת‬,‫חוסמים‬ ‫המידע‬ ‫אבטחת‬ ‫אנשי‬‫לעתים‬ ‫שימוש‬‫בטכנולוגיות‬‫מסוימות‬‫חוסר‬ ‫בגלל‬ ‫או‬ ‫מוגזם‬ ‫חשש‬ ‫בגלל‬ ‫ידע‬‫מספק‬. (4‫צד‬ ‫מגורמי‬ ‫שמתקבל‬ ‫קוד‬‫שלישי‬.‫עושים‬ ‫מה‬?‫לא‬ ‫מקרה‬ ‫בשום‬ ‫מהאוויר‬ ‫ירדה‬‫מערכת‬‫שנמצאו‬ ‫אבטחה‬ ‫ליקויי‬ ‫בשל‬‫בה‬. (5‫סביבת‬ ‫לבין‬ ‫והפיתוח‬ ‫הבדיקות‬ ‫סביבת‬ ‫בין‬ ‫ההבדלים‬‫הייצור‬. ‫והבדיקות‬ ‫הפיתוח‬ ‫מאשר‬ ‫הייצור‬ ‫שרתי‬ ‫הקשחת‬.
  • 14. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Vendors The Web Application Vulnerability Scanners Benchmark, 2012 http://sectooladdict.blogspot .co.il/2012/07/2012-web- application-scanner- benchmark.html 14
  • 15. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Recommendations 1) Mixing of information security in all phases of the project - from the initial stages (sometimes stop project at this stage because of applicability or security risk) continued analysis phase, encoding to various stages of testing. 2) Automated testing tools during encoding. Ideally the code is tested all the time every day. 3) Dedicated Source survey depth testing phase the issue of information security. 4) Penetration code tests. 5) Procedures for developing information security "do and do not" on any technology. 6) Basic training of all developers and more advanced training for developers who are "Security trustees." 15
  • 16. Sigal Russin’s work/ Copyright@2014 Do not remove source or attribution from any slide, graph or portion of graph Thank You! Sigalr@stki.info

Notas do Editor

  1. software
  2. לחוצץ אשר חוצה את נפח המידע שהוקצה לו מבעוד מועד. חריגה זו מאפשרת לתוקפים לצאת מגבולות החוצץ וכך לשכתב מידע חשוב להמשך ריצת התוכנית. במקרים רבים, ניצול חולשה זו מאפשר הרצת קוד המוזרק על ידי התוקף
  3. רקורסיה ללא תנאי עצירה אשר בצורה אין סופית יוצרת עוד רקורסיה עד ”אין סוף“, כאשר ה"אין הסוף" הזה הוא המשאבים של מערכת ההפעלה הפנויים במערכת. למרות שזו דוגמה סטטית, עדיין קיימת מניעת שירות לכל דבר בשל "גניבת" כל זיכרון אפשרי ממערכת ההפעלה, וכן מניעת שירות על ידי חסימת עבודה סדירה עם המחשב.
  4. מניעת שירות שכזו גורמת לנקודות שונות ורבות לבצע בקשה אחת או יותר כלפי שירות מסויים .(Service ברשת כלשהי והיא בדרך כלל מתבצעת באמצעות מחשבים רבים בשליטתו של מפעיל בודד, כאשר התקפה זו מצליחה ברוב המקרים משום שיש הרבה מאוד בקשות בו .zombies מחשבים אלו נקראים זמנית והשירות לא מסוגל לענות לכל הבקשות. במקרה הטוב השירות רק נחסם לעוד בקשות ובמקרה הרע גורם למערכת לקרוס מחוסר במשאבים פנויים להתמודד עם הבקשות השונות, גם לאחר שהמתקפה מסתיימת.
  5. בעיית התנגשות המשאבים בתוך תוכנה מתייחסת לכך שאותו משאב נמצא בשימוש של יותר מחלק קוד אחד בתוכנה (גריעת זיכרון)
  6. לא מעט מבעיות האבטחה והבאגים הנמצאים בתוכנה נוצרים עקב חוסר מעקב או התעלמות של המתכנתים מהודעות המהדר או המפרשים. מעבר לכך, מתכנתים רבים חושבים שאם הקוד שלהם מפורש או מהודר, אז הוא לא מכיל בעיות כלשהן או שלפחות את חלקן ניתן לנצל נגד התכנה או המחשב המריץ אותם.
  7. קריאה זהירה לספריות חיצוניות או "בטוחות" שהמערכת כבר עושה שימשו בהם קריאה עם פרמטרים מאומתים פלט תקין הגבלת הפורמט של נתוני הקלט