New Era of Software with modern Application Security (v0.6)
-
Upload
dinis-cruz -
Category
Software
-
view
1.735 -
download
2
Transcript of New Era of Software with modern Application Security (v0.6)
![Page 1: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/1.jpg)
N E W E R A O F S O F T W A R E W I T H M O D E R N A P P L I C AT I O N S E C U R I T Y
V E R S I O N 0 . 6 ( 2 7 / F E B / 2 0 1 6 )
O W A S P L O N D O N C H A P T E R
@ D I N I S C R U Z
![Page 2: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/2.jpg)
@ D I N I S C R U Z
• Developer for 25 years
• AppSec for 13 years
• Leader OWASP O2 Platform project
• Head of Application Security at The Hut Group
• Application Security Training for JBI Training
• http://blog.diniscruz.com/
• https://www.linkedin.com/in/diniscruz
![Page 3: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/3.jpg)
Q U A L I T Y
![Page 4: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/4.jpg)
Software Craftsmanship is about
Software Quality
![Page 5: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/5.jpg)
a big problem with the Craftsmanship (and testing) community is:
‘How to define Quality?’
![Page 6: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/6.jpg)
Everybody knows that Quality is key
… but …
‘how to measure Quality?’
![Page 7: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/7.jpg)
My thesis is that
Application Security can be used to define and measure Quality
![Page 8: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/8.jpg)
Application Security is all about the non-functional requirements of software*
* software = apps, websites, web services, apis, tools, build scripts = code
![Page 9: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/9.jpg)
Application Security is all about understanding HOW the software work
* vs how software behaves
![Page 10: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/10.jpg)
Using Application Security
I can measure the quality of software
![Page 11: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/11.jpg)
Because Application Security
measures the unintended side effects of coding
![Page 12: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/12.jpg)
W R I T I N G S E C U R E C O D E M Y T H
![Page 13: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/13.jpg)
“If only software developers had security knowledge they would be able write secure code”
![Page 14: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/14.jpg)
This is a myth because secure code has very little to do with developer’s skills and craftsmanship
![Page 15: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/15.jpg)
Software security (or insecurity) is a consequence of the Software development environment
(namely the business and managers focus)
![Page 16: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/16.jpg)
And I know that this is a myth because
I cannot write ‘secure code’
when I’m programming
![Page 17: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/17.jpg)
T H E P O L L U T I O N A N A L O G Y
![Page 18: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/18.jpg)
T E C H N I C A L D E B T I S A B A D A N A L O G Y
• The developers are the ones who pays the debt
• Population is a much better analogy
• The key is to make the business accept the risk (i.e the debt)
![Page 19: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/19.jpg)
L E T ’ S H A C K ( A L I T T L E B I T ) H T T P : / / M A N I F E S T O . S O F T W A R E C R A F T S M A N S H I P. O R G /
Demo
![Page 20: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/20.jpg)
C U R R E N T S TAT E O F A P P L I C AT I O N I N S E C U R I T Y
![Page 21: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/21.jpg)
How secure is your code?
![Page 22: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/22.jpg)
How insecure is your code?
How many risks/vulnerabilities are you aware of?
![Page 23: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/23.jpg)
J I R A R I S K W O R K F L O W
http://blog.diniscruz.com/2015/12/jira-workflows-for-handing-appsec-risks.html
![Page 24: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/24.jpg)
K E Y C O N C E P T S O F T H I S W O R K F L O W
• All tests should pass all the time
• Tests that check/confirm vulnerabilities should also pass
• The key to make this work is to: Make business owners understand the risks of their decisions (and click on the ‘accept risk’ button)
![Page 25: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/25.jpg)
You have to make sure that it is your boss that gets fired
![Page 26: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/26.jpg)
… he/she should make sure that it is his/hers boss that gets fired …
![Page 27: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/27.jpg)
… all the way to the CTO
(i.e. Board level responsibility)
![Page 28: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/28.jpg)
S E N I O R M A N A G E M E N T O V E R S I G H T
• ‘Security Memo’ (from God)
• Incident response plans
• Emergency response exercises (can you detect them?)
• Cyber Insurance
• Enterprise Cyber Risk management
• Which C-level executive will get fired?
![Page 29: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/29.jpg)
D O E S Y O U R C O M PA N Y / T E A M H AV E :
• AppSec team/person
• Security Champion
• Secure coding standards
• Threat Models
• OWASP contributors
• Secure code reviews
![Page 30: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/30.jpg)
If your answer was not YES to all of them...
then
Your Application WILL have a high number of Security Vulnerabilities
![Page 31: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/31.jpg)
W H Y D O A P P L I C AT I O N S E C U R I T Y ?
![Page 32: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/32.jpg)
Because you care about:
your usersgood engineering your application your company
![Page 33: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/33.jpg)
You have been lucky so far due to lack of commercially focused
attackers
![Page 34: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/34.jpg)
This has been a
Blessing and Curse
![Page 35: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/35.jpg)
You are making an Hedged bet
![Page 36: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/36.jpg)
the
Security of your code vs
Skill and motivation of attacks
will not change in next 2 years
Your hedge bet is that :
![Page 37: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/37.jpg)
Most of you are creating the perfect storm ….
![Page 38: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/38.jpg)
User personalisation +
Digital Payments +
APIs
![Page 39: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/39.jpg)
A large % of your apps users will have malware on their
box
![Page 40: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/40.jpg)
You are as secure as your most unexperienced
developer
![Page 41: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/41.jpg)
W H O I S AT TA C K I N G Y O U
![Page 42: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/42.jpg)
I F T H E AT TA C K E R T E L L S Y O U A B O U T T H E AT TA C K
![Page 43: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/43.jpg)
Y O U S H O U L D T H A N K T H E M
![Page 44: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/44.jpg)
The dangerous ones are the commercially focused
criminals
![Page 45: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/45.jpg)
It’s all about the money
![Page 46: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/46.jpg)
… to hack you …
![Page 47: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/47.jpg)
![Page 48: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/48.jpg)
Buy botnet for $110
![Page 49: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/49.jpg)
How much it cost to be an ‘internal user’
![Page 50: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/50.jpg)
100% Anti-virus non detection guarantee
![Page 51: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/51.jpg)
But the credit cards were protected
![Page 52: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/52.jpg)
R U S S I A N H A C K E R S M O V E D R U B L E R AT E W I T H M A LW A R E
• http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
![Page 53: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/53.jpg)
I T I S I N T H E B I L L I O N S
• The real criminals are running highly professional companies, with high quality software Development, Testing, QA, AB testing, etc…
![Page 54: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/54.jpg)
N E W G E N E R AT I O N O F A P P L I C AT I O N S E C U R I T Y T H I N K I N G
![Page 55: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/55.jpg)
• TDD
• Docker
• Test Automation
• Static Analysis
• cleaver Fuzzing
• JIRA Risk workflows
• Kanban
• micro web services visualization, and
• ELK
![Page 56: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/56.jpg)
W E H AV E S O L U T I O N S
![Page 57: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/57.jpg)
O W A S P ! ! ! !
![Page 58: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/58.jpg)
T I P S F O R B U I L D I N G A M O D E R N S E C U R I T Y E N G I N E E R I N G O R G A N I Z AT I O N• https://georgianpartners.com/tips-for-building-a-modern-security-
engineering-organization
![Page 59: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/59.jpg)
H O W T O B U I L D S E C U R E W E B A P P L I C AT I O N• http://blog.knoldus.com/2016/02/03/how-to-build-secure-web-
application/
![Page 60: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/60.jpg)
R E A L W O R L D M U TAT I O N T E S T I N G
• http://pitest.org/
![Page 61: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/61.jpg)
S E C U R I T Y D E V E L O P M E N T L I F E C Y C L E
• https://www.microsoft.com/en-us/sdl/process/design.aspx
![Page 62: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/62.jpg)
S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 1• https://labs.spotify.com/2014/03/27/spotify-engineering-culture-
part-1/
• https://spotifylabscom.files.wordpress.com/2014/03/spotify-engineering-culture-part1.jpeg
![Page 63: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/63.jpg)
S P O T I F Y E N G I N E E R I N G C U LT U R E - PA R T 2• https://labs.spotify.com/2014/09/20/spotify-engineering-culture-
part-2/
• https://spotifylabscom.files.wordpress.com/2014/09/spotify-engineering-culture-part2.jpeg
![Page 64: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/64.jpg)
F I N A L T H O U G H T S
![Page 65: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/65.jpg)
U N W R I T T E N R U L E S O F A P I S
“Every API is destined to be connected to the internet”
![Page 66: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/66.jpg)
U N W R I T T E N R U L E S O F A P I S
“All API data wants to be exposed in a Web Page”
![Page 67: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/67.jpg)
“Would you fly in a plane that has the code quality of your APIs”
![Page 68: New Era of Software with modern Application Security (v0.6)](https://reader031.fdocuments.net/reader031/viewer/2022022203/58749f851a28abfc5f8b7397/html5/thumbnails/68.jpg)
Thanks, any questions?