Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization...
Transcript of Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization...
![Page 1: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/1.jpg)
Implementing Secure Coding In Your Organization
Erez Metula (CISSP), Founder
Application Security Expert
![Page 2: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/2.jpg)
Agenda
SDLC
Security education for developers
Secure Design
Secure Coding
Security testing
Tools
![Page 3: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/3.jpg)
About Me – Erez Metula
Application security expert
Book author
Managed Code Rootkits (Syngress)
Speaker & Trainer
BlackHat, Defcon, RSA, OWASP, etc..
Founder of AppSec Labs
![Page 4: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/4.jpg)
AppSec LabsThe leading Application Security Company
A bunch of Application Security Experts
Ninja Pentesters of Web & Mobile Apps
Elite Trainers for Hacking & Secure coding courses
![Page 5: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/5.jpg)
Development Process Evolution
The iterative waterfall..
![Page 6: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/6.jpg)
Problem..
No security at all
..or doing security at the last stage of development
Sometimes a security bug can cause design changes
…and sometimes you can’t even fix it!!
![Page 7: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/7.jpg)
VIDEO
http://cis1.towson.edu/~cssecinj/secure-coding-workshop/workshop-structure/importance-of-secure-coding-15-min/
![Page 8: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/8.jpg)
Complex Threat Model
Major attack vectors - malicious user / malicious app
Malicious user attacking the client side app
Malicious user using the client app to attack the server side
Malicious user attacking the end user by having physical access to the device
Malicious app attacking the end user
Malicious app attacking other apps on same device
![Page 9: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/9.jpg)
Example – Mobile App Threat Model
![Page 10: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/10.jpg)
Cost of Change
Relative cost to fix a vulnerability – based on time of detection
![Page 11: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/11.jpg)
The Security Development Lifecycle
A process for software development, that defines security requirements and milestones
![Page 12: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/12.jpg)
Developers don’t know how to write secure code !!!
Those kind of problems are related directly to R&D department
NOT IT dept. and NOT Security dept.
Most developers didn’t have proper secure coding training
![Page 13: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/13.jpg)
What to do?
We need to educate them !
![Page 14: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/14.jpg)
AppSec LabsLearning Management System
![Page 15: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/15.jpg)
Grow your “Security champions”
A security champion is someone from your organization who will be responsible for advancing the application security initiative
Most often, he will be from the DEV team
A strong developer who truly cares about security
You should identify those kind of people and cherish them
Case study – HP and AppSec Labs TTT (“Train The Trainer)
![Page 16: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/16.jpg)
Summary
Security should be performed at every layer
Never trust the user!
All input should be considered malicious unless proven otherwise
Follow best practices of secure coding and common security principles
SDL should be part of the methodology
![Page 17: Implementing Secure Coding In Your Organization · Implementing Secure Coding In Your Organization Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec-Labs.com.](https://reader036.fdocuments.net/reader036/viewer/2022081614/5fc77317c1566a4fc37107f7/html5/thumbnails/17.jpg)