SlideShare ist ein Scribd-Unternehmen logo

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica
Imola Informatica

Slides from our talk @Devoxx MA 2018. We discuss Secure Software Development Lifecycle practices, recommendations, and tools, and we show practical examples of bad progamming habits that can be mitigated.

Technologie
1 von 49
Downloaden Sie, um offline zu lesen
SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
A little patch… #SSDLC@imolinfo
Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
Security misconceptions …or products or tools either #SSDLC@imolinfo
Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
Security as a Process #SSDLC@imolinfo Security should be a process
Software Development LifeCycle SDLC #SSDLC@imolinfo «Security» goes here
A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
Security Testing Tools #SSDLC@imolinfo Security should be testable
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
SonarQube #SSDLC@imolinfo A comprehensive platform for Quality Assurance and Static Analysis Source Testing
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
#SSDLC@imolinfo Let’s play!
(Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
#SSDLC@imolinfo Let’s play!
Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
Security KPI Security should be measurable #SSDLC@imolinfo
CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo
Luca Molari lmolari@imolainformatica.it @LMolr Stefano Monti smonti@imolainformatica.it @Ste_Monti Alessandro Proscia aproscia@imolainformatica.it @alex184it #SSDLC@imolinfo

Empfohlen

Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 

Empfohlen

Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left SecurityBATbern
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019Ivanti
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilienceaccenture
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilienceaccenture
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 

Was ist angesagt? (20)

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
From Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber ResilienceFrom Cybersecurity to Cyber Resilience
From Cybersecurity to Cyber Resilience
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 

Ähnlich wie Secure Software Development Lifecycle - Devoxx MA 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsBallerina
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 

Ähnlich wie Secure Software Development Lifecycle - Devoxx MA 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Secure by Design Microservices & Integrations
Secure by Design Microservices & IntegrationsSecure by Design Microservices & Integrations
Secure by Design Microservices & Integrations
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 

Kürzlich hochgeladen

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Kürzlich hochgeladen (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Secure Software Development Lifecycle - Devoxx MA 2018

  • 1. SSDLC - Secure Software Development Lifecycle L. Molari – S. Monti – A. Proscia @imolinfo https://www.imolainformatica.it
  • 2. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } #SSDLC@imolinfo
  • 3. How much does it cost? if (multiWrapper.hasErrors()) { for (LocalizedMessage error : multiWrapper.getErrors()) { if (validation != null) { validation.addActionError( LocalizedTextUtil.findText(error.getClazz(), error.getTextKey(), ActionContext.getContext().getLocale(), error.getDefaultMessage(), error.getArgs())); } } } source Reuters: https://reut.rs/2QsGivt #SSDLC@imolinfo
  • 5. Security costs. Average cost of a data breach in 2017 was… #SSDLC@imolinfo
  • 6. Security costs. When you don’t care about it. …3.62 milions of dollars. source IBM: https://ibm.co/2tMp7ek #SSDLC@imolinfo
  • 7. GDPR: Take care of users data With GDPR, data breaches will be more and more expensive: fines up to € 20M #SSDLC@imolinfo
  • 8. Security misconceptions Security should not be a matter of fences… #SSDLC@imolinfo
  • 9. Security misconceptions …or products or tools either #SSDLC@imolinfo
  • 10. Key Principles Security should be a process #SSDLC@imolinfo Security should be testable Security should be measurable
  • 11. Security as a Process #SSDLC@imolinfo Security should be a process
  • 13. A typical perspective #SSDLC@imolinfo Don’t care about Security Let’s deliver the application
  • 14. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 15. SSDLC Landscape Analysis Design Development SAST Code Review Software Component Analysis Testing DAST / IAST Maintenance SIEM Vault Management Issue TrackingIndipendent Vulnerability Assessment Risk Management Consolidated Security Standard Security Best Practices Threat Modelling Secure Coding Guidelines Security Response Planning Secure Testing Policies Security Response Execution Education & Awareness RASP Enterprise Information Security Architecture Continuous Vulnerability Assessment #SSDLC@imolinfo
  • 16. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 17. OWASP 2017 Top 10 #SSDLC@imolinfo OWASP Top 10 Application Security Risks – 2017 A1:2017 – Injection A2:2017 - Broken Authentication A3:2017 - Sensitive Data Exposure A4:2017 - XML External Entities (XXE) A5:2017 - Broken Access Control A6:2017 - Security Misconfiguration A7:2017 - Cross-Site Scripting (XSS) A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging&Monitoring source OWASP: https://bit.ly/2HlP8H5
  • 19. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 20. SAST - Static Application Security Testing SAST lets you find flaws in source code using the best known patterns of bad programming habits #SSDLC@imolinfo
  • 21. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; #SSDLC@imolinfo
  • 22. SAST - Static Application Security Testing String query = "select count(*) as number "+ " from required_documents rd, "+ " required_documents_quotations rdq, "+ " quotations q, documents d "+ " where rd.id = rdq.id_document "+ " and rd.id = d.id "+ " and rdq.id_quotation = q.id "+ " and q.end_date > sysdate "+ " and rd.status = 'EXP' "+ " and q.quotation_number = " + quotation; Thank you guys! #SSDLC@imolinfo
  • 23. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 24. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); #SSDLC@imolinfo
  • 25. SAST - Static Application Security Testing String key = “A Fixed Password"; // 128 bit key // Create key and cipher Key aesKey = new SecretKeySpec(key.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); // encrypt the text cipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] encrypted = cipher.doFinal(password.getBytes()); What’s wrong with you bro’??? #SSDLC@imolinfo
  • 28. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 29. Equifax Data Breach #SSDLC@imolinfo On march 2017 a serious flaw on Apache Struts 2.x was disclosed (CVE-2017-5638) ▪ Vulnerability allows Remote Code Execution ▪ Equifax Inc., a large USA credit reporting agency, was victim of an attack via this flaw ▪ Data of 145.5 milions of US citizens were stolen
  • 30. Software Component Analysis Any lesson learnt from the Equifax data breach? #SSDLC@imolinfo
  • 31. Software Component Analysis Know your software and its vulnerable components! “OWASP TOP 10 2017: A9:2017-Using Components with Known Vulnerabilities” #SSDLC@imolinfo Any lesson learnt from the Equifax data breach?
  • 32. Software Component Analysis Answer to questions such as… …what components am I using? …what vulnerabilities am I inheriting? …where am I using this component? #SSDLC@imolinfo
  • 33. Dependency Track A platform for comprehensive Software Component Analysis #SSDLC@imolinfo
  • 35. (Secure) Software Development LifeCycle SSDLC #SSDLC@imolinfo Dynamic Application Security Testing Static Application Security Testing Software Component Analysis
  • 36. DAST - Dynamic Application Security Testing DAST lets us test applications using a black box approach #SSDLC@imolinfo
  • 37. Zed Attack Proxy #SSDLC@imolinfo An integrated Web Application penetration testing tool with active and passive scanners
  • 39. Reverse proxy uses ZAP as HTTP proxy for connection to application Automated Tests HTTP Proxy ZAP Proxy Application CI Suite Zed Attack Proxy #SSDLC@imolinfo 1 2 3 6 4 Users and automated tests reach application through a reverse proxy ZAP passively records and scan requests of users and automated tests 5 A CI job fires ZAP active scan tests ZAP tries to attack application exploiting recorded requests A CI job collects reports from ZAP
  • 40. Don’t rely only on tools… Perform routine code reviews #SSDLC@imolinfo Security is a matter of people and processes Build awareness through education
  • 41. Security KPI Security should be measurable #SSDLC@imolinfo
  • 42. CVSS – Common Vulnerability Score System #SSDLC@imolinfo Temporal Metric Group Exploit Code Maturity Remediation Level Report Confidence Modified Base Metrics Exploit Code Maturity Remediation Level Environmental Metric Group Report Confidence Exploitable Metrics Scope Impact Metrics Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A) Base Metric Group
  • 43. CVSS - Common Vulnerability Score System #SSDLC@imolinfo Severity CVSSv2 CVSSv3 None N/A 0.0 Low 0.0-3.9 0.1-3.9 Medium 4.0-6.9 4.0-6.9 High 7.0-10.0 7.0-8.9 Critical N/A 9.0-10 Base Score Range
  • 44. CVSS - An example? CVSS 10 CVE-2017-5638 (Equifax Data Breach Vulnerability) #SSDLC@imolinfo
  • 45. WRT - Weighted Risk Trend #SSDLC@imolinfo Weighted Sum of vulnerabilities per application risk factor Example Blocker: 4 x 2.5 Critical: 133 x 2 Major: 508 x 1.5 Minor: 314 x 1 Application Risk Factor: 1.5 WRT = 2028
  • 46. Security in a CI/CD process #SSDLC@imolinfo Software Security Checks Toolchain Software Component Analysis DAST OWASP ZAP SAST Continuos Integration SCM Issue Tracking Artifact Repository Container Security Platform Application Collaboration Suite SIEM
  • 47. Key Takeaway points TOOLS can help you, but use them WISELY #SSDLC@imolinfo Security CAN fit your software development PROCESS Build security AWARENESS in your organization Security is TESTABLE and MEASURABLE in an AUTOMATED fashion
  • 48. Do you have any question? 42!(*) (*) If you don’t know why 42 is your answer, I’ve got some bad news for you… Black Hats are the least of your problems: Vogons are on the way! #SSDLC@imolinfo